CVE-2024-5645 in Envo Extra Plugin
Summary
by MITRE • 06/07/2024
The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_css_id’ parameter within the Button widget in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2025
The CVE-2024-5645 vulnerability affects the Envo Extra plugin for WordPress, specifically targeting the Button widget functionality within versions up to and including 1.8.23. This represents a critical security flaw that exploits a stored cross-site scripting vulnerability through the 'button_css_id' parameter, demonstrating a fundamental weakness in the plugin's input validation and output escaping mechanisms. The vulnerability's impact is particularly concerning because it requires only Contributor-level access or higher, making it accessible to users who can create and modify content within WordPress installations.
The technical flaw stems from insufficient sanitization of user input within the button_css_id parameter, which allows malicious code to be stored persistently within the WordPress database. When legitimate users access pages containing the injected content, the stored scripts execute in their browsers, creating a persistent threat vector that can affect any user who views the compromised pages. This vulnerability operates under the CWE-79 classification for Cross-Site Scripting, specifically categorized as a stored XSS attack where malicious scripts are stored on the server and executed when accessed by other users.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform session hijacking, defacement of content, and potentially more sophisticated attacks such as credential theft or redirection to malicious sites. The low privilege requirement means that even users with limited administrative capabilities can compromise the entire WordPress installation's security posture. Attackers can leverage this vulnerability to inject malicious scripts that could harvest user credentials, modify content, or redirect users to phishing sites, making it a significant threat to WordPress site integrity and user security.
Mitigation strategies should include immediate patching of the Envo Extra plugin to the latest version where the vulnerability has been addressed, as well as implementing additional security measures such as input validation, output escaping, and content security policies. Administrators should also consider implementing role-based access controls to limit contributor-level privileges where possible, and conduct regular security audits of installed plugins. The vulnerability aligns with ATT&CK technique T1546.001 for 'Setuid and Setgid' and T1059.001 for 'Command and Scripting Interpreter', as it allows for the execution of malicious code through web interfaces and can be used to establish persistent access to WordPress installations. Regular monitoring of plugin updates and security advisories from WordPress.org and the plugin vendor remains essential for maintaining system security.