CVE-2024-5501 in Supreme Modules Lite Plugin
Summary
by MITRE • 06/01/2024
The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_one_id’ parameter in all versions up to, and including, 2.5.51 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/26/2025
The CVE-2024-5501 vulnerability affects the Supreme Modules Lite plugin for WordPress, which is widely used with Divi Theme, Extra Theme, and Divi Builder. This plugin serves as a modular extension that enhances WordPress website functionality through various customizable elements and modules. The vulnerability resides in the plugin's handling of the 'button_one_id' parameter, which is processed during the creation and rendering of button modules within the WordPress admin interface. The flaw represents a classic stored cross-site scripting vulnerability that allows authenticated attackers with Contributor-level permissions or higher to inject malicious scripts into the plugin's configuration parameters.
The technical implementation of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When administrators or users with sufficient privileges create or modify button modules, the 'button_one_id' parameter is stored in the WordPress database without proper sanitization of potentially malicious input. The plugin fails to adequately escape output when rendering these stored parameters, creating an environment where malicious JavaScript code can be executed whenever affected pages are accessed by any user. This stored nature of the vulnerability means that the malicious payload persists in the database and executes automatically each time the affected page is loaded, making it particularly dangerous for widespread impact.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a persistent foothold within the WordPress environment. An attacker with Contributor-level access can inject scripts that may steal cookies, session tokens, or other sensitive information from users who access the compromised pages. The vulnerability enables potential privilege escalation attacks, as the injected scripts could manipulate the WordPress admin interface or redirect users to malicious sites. Additionally, the widespread adoption of the Supreme Modules Lite plugin means that successful exploitation could affect numerous WordPress installations simultaneously, making this vulnerability particularly attractive to threat actors seeking mass impact.
Security practitioners should consider this vulnerability in the context of CWE-79, which specifically addresses cross-site scripting flaws, and the ATT&CK framework's T1059.001 technique for command and script injection. Organizations should immediately update to the latest version of the Supreme Modules Lite plugin to address this vulnerability, as no patches were available for versions up to 2.5.51 at the time of reporting. System administrators should also implement network monitoring to detect potential exploitation attempts, particularly unusual requests containing script tags or other malicious payloads in the button_one_id parameter. Regular security audits of WordPress plugins and themes should be conducted to identify similar sanitization and escaping issues, while user access controls should be carefully managed to limit Contributor-level permissions to trusted individuals only.