CVE-2024-5892

Vulnerability

The Divi Torque Lite plugin for WordPress, up to and including version 3.6.6, contains a Stored Cross-Site Scripting (XSS) vulnerability in the support_unfiltered_files_upload function. The plugin fails to properly sanitize input and escape output when handling file uploads, particularly through the handle_upload_prefilter and check_filetype_and_ext methods. This allows authenticated attackers with Author-level access or higher to upload files containing arbitrary web scripts that are stored on the server.

Exploitation

An attacker must have Author-level access or higher to a WordPress site running the vulnerable Divi Torque Lite plugin. The attacker uploads a specially crafted file (e.g., an SVG with embedded JavaScript) via the plugin's unfiltered file upload feature. The file passes the extension check but contains malicious scripts. The uploaded file is stored and later served to users, triggering the script in their browsers when the page is accessed.

Impact

Successful exploitation results in Stored Cross-Site Scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive information (e.g., cookies, authentication tokens), or redirection to malicious sites. The impact is limited to users who visit the compromised page, but within the WordPress site's scope.

Mitigation

The vendor has released version 3.6.7 of Divi Torque Lite to fix this vulnerability. Users should update to at least 3.6.7 immediately. No workarounds are provided in the available references [1].