CVE-2024-5892 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Divi Torque Lite – Divi Theme and Extra Theme WordPress plugin developed by badhonrocks. The vulnerability exists due to insufficient sanitization and escaping of user input within the 'support_unfiltered_files_upload' function. Authenticated attackers with Author-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages managed by the plugin. Because the injected scripts are stored persistently, they execute every time a user visits the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The vulnerability affects all versions up to and including 3.6.6. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of WordPress and the popularity of the Divi themes. The flaw highlights the importance of proper input validation and output encoding in web applications, especially in plugins that handle file uploads or user-generated content.

The impact of CVE-2024-5892 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, which can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potentially further privilege escalation within the site. Since the vulnerability requires Author-level access, attackers must first compromise or have legitimate access to an account with elevated privileges, which limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or weak internal controls. The stored nature of the XSS means that any user visiting the infected page is at risk, including administrators and site visitors, increasing the potential damage. Organizations relying on this plugin for their WordPress sites may face reputational damage, data breaches, and operational disruptions if exploited. Given the widespread use of WordPress globally, the vulnerability could affect a large number of websites, particularly those that have not implemented strict access controls or monitoring.

1. Immediately restrict Author-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2. Monitor existing pages and posts for suspicious or unexpected scripts, especially those related to file upload functionalities. 3. Implement web application firewall (WAF) rules to detect and block common XSS payloads targeting the plugin's vulnerable function. 4. Disable or limit the use of the 'support_unfiltered_files_upload' feature if possible until a patch is available. 5. Regularly audit user accounts and permissions to ensure no unauthorized privilege escalations have occurred. 6. Once the vendor releases an official patch or update, apply it promptly to remediate the vulnerability. 7. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. 8. Educate site administrators and content creators about the risks of XSS and safe content management practices. 9. Consider isolating or sandboxing user-generated content areas to limit script execution scope. 10. Use security plugins that provide enhanced input validation and output encoding for WordPress sites.