CVE-2024-5501 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the Supreme Modules Lite plugin used in Divi Theme, Extra Theme, and Divi Builder for WordPress. The vulnerability stems from insufficient sanitization and escaping of the 'button_one_id' parameter, which is processed during web page generation. Authenticated users with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the compromised page, potentially allowing attackers to steal session cookies, perform actions on behalf of other users, or conduct further attacks such as phishing or malware distribution. The vulnerability does not require user interaction beyond page access and has a CVSS 3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. No patches have been linked yet, and no known exploits are reported in the wild, but the presence of this vulnerability in popular WordPress themes and builders increases its risk profile. The vulnerability affects all versions up to and including 2.5.51 of the plugin. The flaw is particularly concerning because Contributor-level users are common in WordPress environments, and the injected scripts can impact any user visiting the infected pages.

The impact of CVE-2024-5501 is significant for organizations using the affected WordPress themes and plugins. Successful exploitation can lead to session hijacking, unauthorized actions performed with the privileges of other users, and potential compromise of sensitive information. Since the vulnerability allows stored XSS, it can facilitate persistent attacks that affect multiple users, including administrators. This can undermine the integrity and confidentiality of the website and its users. The availability impact is low, as the vulnerability does not directly cause denial of service. However, reputational damage and loss of user trust can be substantial if attackers leverage this flaw for phishing or malware distribution. Organizations with multi-user WordPress environments, especially those allowing Contributor-level access to untrusted users, are at higher risk. The vulnerability's network attack vector and low complexity make it relatively easy to exploit once an attacker has the required privileges, increasing the threat surface. The scope change indicates that the impact can extend beyond the immediate plugin, potentially affecting the entire website and its visitors.

1. Immediately restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. 2. Monitor and audit user-generated content, especially inputs related to the 'button_one_id' parameter, for suspicious or unexpected scripts. 3. Apply input validation and output encoding at the application level to ensure all user inputs are properly sanitized and escaped before rendering. 4. Update the Supreme Modules Lite plugin, Divi Theme, Extra Theme, and Divi Builder to the latest versions once patches addressing CVE-2024-5501 are released by the vendor. 5. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting WordPress plugins. 6. Educate content contributors about the risks of injecting untrusted code and enforce strict content policies. 7. Regularly scan WordPress sites with security tools to detect stored XSS and other vulnerabilities. 8. Consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. 9. Backup website data frequently to enable quick recovery if exploitation occurs.