CVE-2024-5647

Published: Jul 3, 2025

Modified: Apr 8, 2026

PUBLISHED

CVSS v3.1

6.4

MEDIUM

Description

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.

Vendor	Product	Versions
blossomthemes	BlossomThemes Social Feed	affected `0 - <= 2.0.5`
sayful	Carousel Slider	affected `0 - <= 2.2.14`
divisupreme	Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder	affected `0 - <= 2.5.52`
robosoft	Robo Gallery – Photo & Image Slider	affected `0 - <= 3.2.22`
gutentor	Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor	affected `0 - <= 3.4.9`
oceanwp	OceanWP	affected `0 - <= 3.6.0`
thehappymonster	Happy Addons for Elementor	affected `0 - <= 3.12.2`
badhonrocks	Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme	affected `0 - <= 4.0.5`
Elegant Themes	Divi Builder	affected `0 - <= 4.27.1`
Elegant Themes	Divi	affected `0 - <= 4.27.1`
Elegant Themes	Divi Extra	affected `0 - <= 4.27.1`
boldthemes	Bold Page Builder	affected `0 - <= 5.1.2`
wpdevteam	Essential Addons for Elementor – Popular Elementor Templates & Widgets	affected `0 - <= 6.0.4`
gn_themes	WP Shortcodes Plugin — Shortcodes Ultimate	affected `0 - <= 7.4.2`