CVE-2024-5061

The Enfold - Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and 'class' parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Configurations

Configuration 1 (hide)

cpe:2.3:a:kriesi:enfold:*:*:*:*:*:wordpress:*:*

History

03 Sep 2024, 15:11

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.4
v2 : unknown
v3 : 5.4
Summary
  • (es) El tema Enfold - Responsive Multi-Purpose Theme para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de los parámetros 'wrapper_class' y 'class' en todas las versiones hasta la 6.0.3 incluida, debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarias en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.
References () https://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990 - () https://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/25462492-59d2-44b7-81c3-93ac04a08bcc?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/25462492-59d2-44b7-81c3-93ac04a08bcc?source=cve - Third Party Advisory
CPE cpe:2.3:a:kriesi:enfold:*:*:*:*:*:wordpress:*:*
First Time Kriesi
Kriesi enfold

30 Aug 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-30 04:15

Updated : 2024-09-03 15:11


NVD link : CVE-2024-5061

Mitre link : CVE-2024-5061

CVE.ORG link : CVE-2024-5061


JSON object : View

Products Affected

kriesi

  • enfold
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')