Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-5501 | WordPress Plugin Vulnerability Report

Plugin Name: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: supreme-modules-for-divi
  • Software Status: Active
  • Software Author: divisupreme
  • Software Downloads: 2,590,021
  • Active Installs: 200,000
  • Last Updated: June 12, 2024
  • Patched Versions: 2.5.52
  • Affected Versions: <= 2.5.51

Vulnerability Details:

  • Name: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder <= 2.5.51
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-5501
  • CVSS Score: 6.4
  • Publicly Published: May 31, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_one_id’ parameter in all versions up to, and including, 2.5.51 due to insufficient input sanitization and output escaping. This allows authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts into pages, potentially compromising user security.

Summary:

The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress has a vulnerability in versions up to and including 2.5.51 that allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘button_one_id’ parameter. This vulnerability has been patched in version 2.5.52.

Detailed Overview:

The vulnerability arises from insufficient input sanitization and output escaping on the ‘button_one_id’ parameter, as detailed by researcher Ngô Thiên An (ancorn_) - VNPT-VCI. Authenticated attackers, particularly those with Contributor-level access and above, can exploit this loophole to inject malicious scripts into pages. This poses significant risks, including compromising user security and potentially leading to data breaches or unauthorized access to sensitive information. To remediate the vulnerability, users must update the plugin to version 2.5.52 or later.

Advice for Users:

  • Immediate Action: Update the Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin to version 2.5.52 or later to mitigate the risk of exploitation.
  • Check for Signs of Vulnerability: Monitor your website for any unusual behavior, such as unexpected pop-ups or redirects, which may indicate compromise.
  • Alternate Plugins: While a patch is available, users might still consider alternative plugins that offer similar functionality as a precautionary measure.
  • Stay Updated: Regularly check for updates to all installed plugins to ensure protection against vulnerabilities and maintain the security of your WordPress website.

Conclusion:

The swift response from the plugin developers in releasing version 2.5.52 underscores the importance of timely updates in maintaining the security of WordPress installations. Users are advised to ensure that they are running version 2.5.52 or later to secure their WordPress installations against the vulnerability identified in CVE-2024-5501.

References:

Detailed Report: 

Introduction

In today's interconnected digital landscape, the security of your website is paramount. With cyber threats evolving at a rapid pace, staying vigilant and proactive is key to safeguarding your online presence. This urgency is underscored by recent discoveries, such as the vulnerability found in the Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress. Identified as an Authenticated (Contributor+) Stored Cross-Site Scripting issue, denoted by CVE-2024-5501, this vulnerability poses a significant risk to website security. This vulnerability underscores the critical need for website owners to remain vigilant and proactive in maintaining the security of their WordPress installations.

Plugin Details

The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin, developed by divisupreme, is a popular choice among WordPress users, boasting over 2.5 million downloads and 200,000 active installs. However, versions up to and including 2.5.51 are susceptible to this vulnerability, which stems from insufficient input sanitization and output escaping on the ‘button_one_id’ parameter.

Vulnerability Details

The vulnerability was brought to light by researcher Ngô Thiên An (ancorn_) - VNPT-VCI and has a CVSS Score of 6.4. This vulnerability could allow authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into your web pages, potentially compromising user security.

Potential Impacts

The potential impacts of this vulnerability are grave. Attackers could exploit the vulnerability to inject malicious scripts into web pages, leading to unauthorized access to sensitive information, data breaches, or website defacement.

Remediation

To remediate the vulnerability, website owners must promptly update the Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin to version 2.5.52 or later. This will effectively close the loophole and protect the website from potential exploitation.

Importance of Staying Proactive

For small business owners who may lack the time or resources to stay on top of security vulnerabilities, proactive measures are essential. Regularly updating plugins to their latest versions is a crucial step in mitigating the risks posed by vulnerabilities like CVE-2024-5501. Additionally, monitoring for signs of vulnerability, considering alternative plugins, and staying informed about security best practices are all vital components of a robust security strategy. By prioritizing website security and staying proactive, small business owners can effectively protect their online assets and maintain the trust of their customers.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-5501 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment