The Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
References
History
Sat, 16 Nov 2024 15:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Sat, 16 Nov 2024 03:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |
| Title | Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme <= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-11-16T03:20:48.606Z
Updated: 2024-11-16T15:10:21.676Z
Reserved: 2024-09-30T21:36:41.394Z
Link: CVE-2024-9386
Vulnrichment
Updated: 2024-11-16T15:10:08.428Z
NVD
Status : Awaiting Analysis
Published: 2024-11-16T04:15:07.030
Modified: 2024-11-18T17:11:17.393
Link: CVE-2024-9386
Redhat
No data.