CVE-2024-5645
Published
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_css_id’ parameter within the Button widget in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
<p>Envo Extra add extra features and options to free <a href="https://enwoo-wp.com/" rel="nofollow ugc">Enwoo</a> and <a href="https://envothemes.com/envo-royal-free-wp-theme/" rel="nofollow ugc">Envo Royal</a> theme like widgets, WooCommerce options, Elementor and Gutenberg widgets, one click demo import and much more.<br />
Add one click demo import for <a href="https://envothemes.com/" rel="nofollow ugc">EnvoThemes</a> WooCommerce themes</p>
<h3>Credits & Copyright</h3>
<h4>Kirki, Copyright (c) 2017, David Vongries/Aristeides Stathopoulos</h4>
<p>Licenses: MIT<br />
Source: https://wordpress.org/plugins/kirki/</p>
WordPress Plugin Directory