Vulnerabilities > CVE-2024-13419 - Missing Authorization vulnerability in G5Plus products

CVSS 5.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

g5plus

CWE-862

NVD

Published: 2025-05-02

Updated: 2025-05-06

Summary

Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings which includes custom JavaScript that is enabled site-wide. This issue was escalated to Envato over two months from the date of this disclosure and the issue is still vulnerable.

Vulnerable Configurations

Part	Description	Count
Application	G5Plus G5Plus April * G5Plus Auteur * G5Plus Benaa * G5Plus Beyot *	4

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References