WordPress Smart Framework Multiple Plugins Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in multiple WordPress plugins and themes that utilize Smart Framework. This issue arises from a lack of proper capability checks in the saveOptions() and importThemeOptions() functions across various versions. As a result, authenticated attackers with Subscriber-level access or higher can modify the plugin's settings to include custom JavaScript, which is then executed site-wide. Despite being reported to Envato over two months ago, this vulnerability remains unaddressed.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user.
Remediation
No known patch is available. It is recommended to review the vulnerability details thoroughly and consider uninstalling the affected software.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.