CVE-2024-5647

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-5647

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5647.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-5647

Published

2025-07-03T10:15:34Z

Modified

2025-07-04T09:54:15.428107Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.

References

Affected packages

Git / github.com/dimsemenov/magnific-popup

Affected ranges

Type: GIT
Repo: https://github.com/dimsemenov/magnific-popup
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

45dd72ccd1a18f0626fb958f7c49e6313556d31f

Affected versions

0.*

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.9.0

0.9.1

0.9.2

0.9.3

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

1.*

1.0.1

1.1.0