Supreme Modules Lite Vulnerability – Authenticated (Contributor+) DOM-Based Cross-Site Scripting – CVE-2024-4334 | WordPress Plugin Vulnerability Report
Plugin Name: Supreme Modules Lite
Key Information:
- Software Type: Plugin
- Software Slug: supreme-modules-for-divi
- Software Status: Active
- Software Author: divisupreme
- Software Downloads: 2,191,354
- Active Installs: 200,000
- Last Updated: May 1, 2024
- Patched Versions: 2.5.4
- Affected Versions: <= 2.5.3
Vulnerability Details:
- Name: Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder <= 2.5.3 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-4334
- CVSS Score: 6.4 (Medium)
- Publicly Published: May 1, 2024
- Researcher: Webbernaut
- Description: The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'typing_cursor' parameter in versions up to, and including, 2.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Supreme Modules Lite for WordPress has a vulnerability in versions up to and including 2.5.3 that allows authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been patched in version 2.5.4.
Detailed Overview:
According to researcher Webbernaut, the Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'typing_cursor' parameter in versions up to, and including, 2.5.3 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page, potentially compromising the site and its users.
Advice for Users:
- Immediate Action: Users are strongly encouraged to update the Supreme Modules Lite plugin to version 2.5.4 or later to patch this vulnerability.
- Check for Signs of Vulnerability: Users should review their site for any suspicious or unauthorized scripts that may have been injected.
- Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.5.4 or later of the Supreme Modules Lite plugin to secure their WordPress installations.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/supreme-modules-for-divi
Detailed Report:
In the fast-paced world of online business, website security is paramount. As a small business owner with a WordPress site, you likely have a million things on your plate, and staying on top of potential vulnerabilities can be a daunting task. However, a recent vulnerability discovered in the Supreme Modules Lite plugin highlights the importance of remaining vigilant and keeping your site updated.
Plugin Details:
The Supreme Modules Lite plugin, designed to enhance the Divi Theme, Extra Theme, and Divi Builder, is a popular choice among WordPress users, with over 200,000 active installations. Developed by divisupreme, the plugin boasts an impressive 2,191,354 downloads. The latest version, 2.5.4, was released on May 1, 2024, patching a critical vulnerability present in versions up to and including 2.5.3.
Vulnerability Details:
The vulnerability, identified as CVE-2024-4334, is a DOM-Based Cross-Site Scripting (XSS) issue discovered by researcher Webbernaut. It allows authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts into pages via the 'typing_cursor' parameter. These scripts will execute whenever a user accesses an injected page, potentially compromising your site and its users.
Risks and Potential Impacts:
XSS vulnerabilities can lead to a range of serious consequences:
- Unauthorized access to sensitive information
- Defacement of your website
- Distribution of malware to your users
- Damage to your website's reputation and user trust
Vulnerability Remediation:
To protect your WordPress site from this vulnerability, it is crucial to update the Supreme Modules Lite plugin to version 2.5.4 or later. If you are running an affected version (2.5.3 or earlier), take immediate action to update the plugin. Additionally, review your site for any suspicious or unauthorized scripts that may have been injected.
Previous Vulnerabilities:
While the current vulnerability is a pressing concern, it is essential to note that this is not the first time Supreme Modules Lite has faced security issues. Staying informed about past vulnerabilities can help you understand the importance of regular updates and the potential risks associated with the plugin.
The Importance of Staying Updated:
As a small business owner, your time is valuable, and staying on top of security vulnerabilities may seem like an overwhelming task. However, the consequences of neglecting your website's security can be severe. By regularly updating your WordPress core, themes, and plugins, you can significantly reduce the risk of falling victim to attacks that exploit known vulnerabilities.
If you find it challenging to keep up with the latest security updates, consider partnering with a trusted web development or security agency. They can help you monitor your site, implement necessary updates, and provide guidance on best practices for maintaining a secure online presence.
Conclusion:
The Supreme Modules Lite vulnerability serves as a stark reminder of the importance of prioritizing website security. By understanding the risks posed by such vulnerabilities and taking proactive steps to protect your site, you can safeguard your users' trust and maintain a strong online presence. Remember, investing in your website's security is investing in the long-term success of your small business.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.