CVE-2024-5020

Summary

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected Software

VendorProductVersion RangeStatus
extendthemesColibri Page Builder0 <= 1.0.286affected
smubEnvira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More0 <= 1.8.15affected
bqworksAccordion Slider0 <= 1.9.12affected
10webForm Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder0 <= 1.15.27affected
jetmonstersGetwid – Gutenberg Blocks0 <= 2.0.11affected
firelightwpFirelight Lightbox0 <= 2.3.3affected
dfactoryResponsive Lightbox & Gallery0 <= 2.4.8affected
shapedpluginCarousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel0 <= 2.6.8affected
colorlibpluginsFancyBox for WordPress0 <= 3.3.4affected
nkoVisual Portfolio, Photo Gallery & Post Grid0 <= 3.3.9affected
smubPhoto Gallery, Sliders, Proofing and Themes – NextGEN Gallery0 <= 3.59.4affected
wpcleverWPC Smart Quick View for WooCommerce0 <= 4.1.1affected
posimyththemesNexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder0 <= 4.3.1affected
Easy Social FeedEasy Social Feed Premium0 <= 6.6.2affected
foliovisionFV Flowplayer Video Player0 <= 7.5.47.7212affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References