CVE-2024-33694

The Meks ThemeForest Smart Widget plugin for WordPress versions up to and including 1.5 fails to properly neutralize user input during web page generation, leading to a Stored Cross-Site Scripting (XSS) vulnerability [1]. This improper neutralization of input allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and subsequently served to other users.

Exploitation requires a privileged user role, such as an administrator or editor, to save the crafted input [1]. The attack is initiated from within the WordPress admin panel, but the injected payload is triggered when any visitor (guest or authenticated) loads a page where the widget is displayed. No direct user interaction is needed on the victim’s part beyond normal browsing, though the initial injection step requires the attacker to have a role with widget editing capabilities.

If successfully exploited, an attacker can execute arbitrary scripts in the context of the victim’s browser. This could be used to steal session cookies, perform actions on behalf of the victim, redirect visitors to malicious sites, deliver advertisements, or deface the site [1]. The CVSS v3 base score is 5.9, reflecting a medium severity with a focus on the impact to confidentiality and integrity, without requiring user interaction from the victim after the payload is stored.

The vulnerability has been addressed in version 1.6 of the plugin [1]. Users are strongly advised to update immediately. As an additional safeguard, enabling auto-updates for vulnerable plugins can help prevent exploitation [1]. No workarounds are provided; updating is the recommended mitigation.