CVE-2024-5647
Description
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated contributors can inject stored XSS via bundled Magnific Popup v1.1.0 in multiple WordPress plugins.
Root
Cause The vulnerability resides in the bundled Magnific Popup library (version 1.1.0) used by multiple WordPress plugins including Divi and Extra [1][2][3]. Insufficient input sanitization and output escaping on user-supplied attributes allowed the injection of arbitrary HTML and JavaScript into popup template fields such as image titles and status indicators [4].
Attack
Vector An authenticated attacker with contributor-level access or higher could craft malicious content within attributes processed by the Magnific Popup library [1][2][3]. When a victim (including other users or visitors) views a page containing this injected content, the stored script executes in their browser. No additional authentication beyond a contributor role is required.
Impact
Successful exploitation leads to stored cross-site scripting (XSS), enabling the attacker to execute arbitrary web scripts in the context of the victim's session. This can result in session hijacking, defacement, theft of sensitive data, or redirection to malicious sites.
Mitigation
The upstream library fixed the issue in version 1.2.0 by disabling HTML rendering in certain fields by default (new options allowHTMLInStatusIndicator and allowHTMLInTemplate are disabled by default) [4]. The Divi, Extra, and Divi Builder plugins were patched starting in version 4.27.2 (updated October 1, 2024), which updated Magnific Popup to v1.2.0 [1][2][3]. Users should update to the latest versions of these plugins to remediate the vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 0.8.1, 0.8.2, 0.8.3, …
Patches
145dd72ccd1a1Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- github.com/dimsemenov/Magnific-Popup/releases/tag/1.2.0nvd
- plugins.trac.wordpress.org/browser/bold-page-builder/trunk/content_elements_misc/js/jquery.magnific-popup.jsnvd
- plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/assets/front-end/js/lib-view/magnific-popup/jquery.magnific-popup.jsnvd
- plugins.trac.wordpress.org/browser/robo-gallery/trunk/js/robo_gallery.jsnvd
- plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/vendor/magnific-popup/magnific-popup.jsnvd
- plugins.trac.wordpress.org/changeset/3153700/essential-addons-for-elementor-litenvd
- plugins.trac.wordpress.org/changeset/3153781/bold-page-buildernvd
- plugins.trac.wordpress.org/changeset/3154460/happy-elementor-addonsnvd
- plugins.trac.wordpress.org/changeset/3166204/carousel-slidernvd
- plugins.trac.wordpress.org/changeset/3184626/addons-for-divinvd
- plugins.trac.wordpress.org/changeset/3201991/robo-gallerynvd
- themes.trac.wordpress.org/changeset/244604/oceanwpnvd
- www.elegantthemes.com/api/changelog/divi-builder.txtnvd
- www.elegantthemes.com/api/changelog/divi.txtnvd
- www.elegantthemes.com/api/changelog/extra.txtnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/dae80fc2-3076-4a32-876d-5df1c62de9bdnvd
News mentions
0No linked articles in our index yet.