Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • August 30, 2024 at 3:16 am #1465720
    Rob – Press Wizards
    Guest

    From WordFence:
    Enfold <= 6.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via wrapper_class and class Parameters
    Description

    The Enfold – Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and ‘class’ parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
    CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
    CVE CVE-2024-5061
    CVSS 6.4 (Medium)
    Publicly Published August 29, 2024
    Last Updated August 29, 2024
    Researcher stealthcopter

    See: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/enfold/enfold-603-authenticated-contributor-stored-cross-site-scripting-via-wrapper-class-and-class-parameters

    August 30, 2024 at 12:24 pm #1465779
    Ismael

    Hey Rob – Press Wizards,

    Thank you for bringing this issue to our attention.

    We have forwarded the provided link to our channel for further review. We will make sure to provide you with feedback as soon as we have more information or updates available. If you have any additional details or questions, feel free to reach out to us.

    Best regards,
    Ismael

    September 3, 2024 at 3:59 pm #1466135
    Yigit

    Hey Rob,

    I just wanted to let you know that our developers addressed this issue and we will release Enfold 6.0.4 very soon.

    Regards,
    Yigit

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.