CVE-2024-13419: CWE-862 Missing Authorization in G5Theme Benaa Framework
Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings which includes custom JavaScript that is enabled site-wide. This issue was escalated to Envato over two months from the date of this disclosure and the issue is still vulnerable.
AI Analysis
Technical Summary
This vulnerability (CVE-2024-13419) affects multiple WordPress plugins and themes using the Smart Framework, specifically the G5Theme Benaa Framework. Due to missing capability checks in the saveOptions() and importThemeOptions() functions, authenticated users with low privileges (Subscriber-level and above) can modify plugin settings. This includes the ability to insert custom JavaScript that executes across the entire site, resulting in stored cross-site scripting. The vulnerability is classified under CWE-862 (Missing Authorization). No patch or official fix is currently available, and no known exploits in the wild have been reported.
Potential Impact
An attacker with authenticated access at Subscriber level or higher can exploit this vulnerability to inject malicious JavaScript code site-wide, potentially leading to cross-site scripting attacks. This can compromise the integrity and confidentiality of the site and its users. The CVSS score is 6.4 (medium severity), reflecting the network attack vector, low attack complexity, and the requirement for some privileges but no user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available from the vendor. Users should monitor the vendor's advisory channels for updates. Until a patch is released, restrict Subscriber-level access and above to trusted users only to reduce risk. Avoid installing or updating affected plugins/themes from untrusted sources.
CVE-2024-13419: CWE-862 Missing Authorization in G5Theme Benaa Framework
Description
Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings which includes custom JavaScript that is enabled site-wide. This issue was escalated to Envato over two months from the date of this disclosure and the issue is still vulnerable.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2024-13419) affects multiple WordPress plugins and themes using the Smart Framework, specifically the G5Theme Benaa Framework. Due to missing capability checks in the saveOptions() and importThemeOptions() functions, authenticated users with low privileges (Subscriber-level and above) can modify plugin settings. This includes the ability to insert custom JavaScript that executes across the entire site, resulting in stored cross-site scripting. The vulnerability is classified under CWE-862 (Missing Authorization). No patch or official fix is currently available, and no known exploits in the wild have been reported.
Potential Impact
An attacker with authenticated access at Subscriber level or higher can exploit this vulnerability to inject malicious JavaScript code site-wide, potentially leading to cross-site scripting attacks. This can compromise the integrity and confidentiality of the site and its users. The CVSS score is 6.4 (medium severity), reflecting the network attack vector, low attack complexity, and the requirement for some privileges but no user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available from the vendor. Users should monitor the vendor's advisory channels for updates. Until a patch is released, restrict Subscriber-level access and above to trusted users only to reduce risk. Avoid installing or updating affected plugins/themes from untrusted sources.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-15T18:32:29.194Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9838c4522896dcbec039
Added to database: 5/21/2025, 9:09:12 AM
Last enriched: 4/9/2026, 7:29:36 PM
Last updated: 5/8/2026, 7:11:51 PM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.