CVE-2024-13419

Name of the Vulnerable Software and Affected Versions WordPress plugins and/or themes using Smart Framework (affected versions not specified)

Description The issue is related to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions. This allows authenticated attackers with Subscriber-level access and above to update the plugin's settings, including custom JavaScript that is enabled site-wide.

Recommendations For WordPress plugins and/or themes using Smart Framework, consider disabling the saveOptions() and importThemeOptions() functions until a patch is available to prevent exploitation. Restrict access to the plugin's settings to minimize the risk of attackers updating custom JavaScript. At the moment, there is no information about a newer version that contains a fix for this vulnerability.