CVERadar

CVE-2024-37428

High Severity

Themesgrove

SVRS

53/100

CVSSv3

5.4/10

EPSS

0.0007/1

CVE-2024-37428 is a Stored Cross-Site Scripting (XSS) vulnerability in Themesgrove WidgetKit versions up to 2.5.0, allowing attackers to inject malicious scripts into web pages. This vulnerability arises from improper neutralization of user-supplied input during web page generation. Despite a moderate CVSS score of 5.4, the SOCRadar Vulnerability Risk Score (SVRS) is 53, indicating a medium level of risk requiring attention. Attackers can exploit this vulnerability to execute arbitrary JavaScript code in the browsers of unsuspecting users. Successful exploitation could lead to session hijacking, website defacement, or redirection to malicious sites. Given the CWE-79 classification and the presence of "In The Wild" tags, organizations using WidgetKit should promptly apply available patches or mitigations to prevent potential exploitation. Addressing this security flaw is crucial to protect user data and maintain the integrity of web applications using the affected WidgetKit versions.

TAGS

In The Wild

VECTOR STRING

CVSS:3.1

AV:N

AC:L

PR:L

UI:R

S:C

C:L

I:L

A:N

PUBLICATION DATE2024-07-22

LAST MODIFIED2024-07-26

SOCRadar

AI Insight

Description:

CVE-2024-37428 is a Stored Cross-site Scripting (XSS) vulnerability in Themesgrove WidgetKit, allowing attackers to inject malicious scripts into web pages. This vulnerability affects WidgetKit versions from n/a through 2.5.0.

Key Insights:

SVRS Score: 30 (Moderate)
Exploit Status: Active exploits have been published.
CISA Warnings: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of the vulnerability, calling for immediate and necessary measures.
In the Wild: The vulnerability is actively exploited by hackers.

Mitigation Strategies:

Update WidgetKit to version 2.5.1 or later.
Implement input validation and sanitization to prevent malicious scripts from being injected.
Use a web application firewall (WAF) to block malicious requests.
Regularly monitor for suspicious activity and patch any vulnerabilities promptly.

Additional Information:

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT

CVE Details

Access comprehensive CVE information instantly

Real-time Tracking

Subscribe to CVEs and get instant updates

Exploit Analysis

Monitor related APT groups and threats

IOC Tracking

Analyze and track CVE-related IOCs

News

CVE-2024-37428 | Themesgrove WidgetKit Plugin up to 2.5.0 on WordPress cross site scripting

vuldb.com2025-03-17

CVE-2024-37428 | Themesgrove WidgetKit Plugin up to 2.5.0 on WordPress cross site scripting | A vulnerability was found in Themesgrove WidgetKit Plugin up to 2.5.0 on WordPress. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-37428. The attack can be initiated remotely. There is no exploit available.

news

vuldb.com

rss

forum

Social Media

Vulmon Vulnerability Feed

@VulmonFeeds

2024-07-22

CVE-2024-37428 Stored XSS Vulnerability in Themesgrove WidgetKit up to 2.5.0: Themesgrove WidgetKit has a stored Cross-Site Scripting (XSS) vulnerability. This happens due to improper neutralization of input durin... https://t.co/9cUrMZzYSO

CVE

@CVEnew

2024-07-22

CVE-2024-37428 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themesgrove WidgetKit allows Stored XSS.This issue affect… https://t.co/2nHCAinIHl

Affected Software

Configuration 1

Type	Vendor	Product
App	Themesgrove	all-in-one_addons_for_elementor

References

Reference	Link
[email protected]	https://patchstack.com/database/vulnerability/widgetkit-for-elementor/wordpress-all-in-one-addons-for-elementor-widgetkit-plugin-2-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve

CWE Details

CWE ID	CWE Name	Description
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence