Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-5501 | WordPress Plugin Vulnerability Report
Plugin Name: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder
Key Information:
- Software Type: Plugin
- Software Slug: supreme-modules-for-divi
- Software Status: Active
- Software Author: divisupreme
- Software Downloads: 2,590,021
- Active Installs: 200,000
- Last Updated: June 12, 2024
- Patched Versions: 2.5.52
- Affected Versions: <= 2.5.51
Vulnerability Details:
- Name: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder <= 2.5.51
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-5501
- CVSS Score: 6.4
- Publicly Published: May 31, 2024
- Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
- Description: The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_one_id’ parameter in all versions up to, and including, 2.5.51 due to insufficient input sanitization and output escaping. This allows authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts into pages, potentially compromising user security.
Summary:
The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress has a vulnerability in versions up to and including 2.5.51 that allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘button_one_id’ parameter. This vulnerability has been patched in version 2.5.52.
Detailed Overview:
The vulnerability arises from insufficient input sanitization and output escaping on the ‘button_one_id’ parameter, as detailed by researcher Ngô Thiên An (ancorn_) - VNPT-VCI. Authenticated attackers, particularly those with Contributor-level access and above, can exploit this loophole to inject malicious scripts into pages. This poses significant risks, including compromising user security and potentially leading to data breaches or unauthorized access to sensitive information. To remediate the vulnerability, users must update the plugin to version 2.5.52 or later.
Advice for Users:
- Immediate Action: Update the Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin to version 2.5.52 or later to mitigate the risk of exploitation.
- Check for Signs of Vulnerability: Monitor your website for any unusual behavior, such as unexpected pop-ups or redirects, which may indicate compromise.
- Alternate Plugins: While a patch is available, users might still consider alternative plugins that offer similar functionality as a precautionary measure.
- Stay Updated: Regularly check for updates to all installed plugins to ensure protection against vulnerabilities and maintain the security of your WordPress website.
Conclusion:
The swift response from the plugin developers in releasing version 2.5.52 underscores the importance of timely updates in maintaining the security of WordPress installations. Users are advised to ensure that they are running version 2.5.52 or later to secure their WordPress installations against the vulnerability identified in CVE-2024-5501.
References:
Detailed Report:
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.