Login Sign Up

CVE-2024-6133

6.5 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability in the wp-cart-for-digital-products WordPress plugin allows attackers to inject malicious scripts via unsanitized parameters, which are then reflected back in pages. It primarily affects WordPress sites using vulnerable plugin versions, potentially compromising admin accounts through social engineering or phishing.

💻 Affected Systems

Products:
  • wp-cart-for-digital-products WordPress plugin
Versions: Versions before 8.5.6
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the plugin to be installed and active on a WordPress site; exploitation typically needs user interaction (e.g., clicking a malicious link).

📦 What is this software?

Wp Estore by Tipsandtricks Hq

View all CVEs affecting Wp Estore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin session cookies, perform actions as administrators (like installing backdoors), or redirect users to malicious sites.

🟠

Likely Case

Attackers use crafted links to execute scripts in admin browsers, potentially stealing credentials or session tokens.

🟢

If Mitigated

With proper input validation and output escaping, the risk is reduced to minimal, though the vulnerability still exists.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward via crafted URLs; proof-of-concept details are available in public references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.6

Vendor Advisory: https://wpscan.com/vulnerability/fd613e1e-557c-4383-a3e9-4c14bc0be0c5/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'wp-cart-for-digital-products' and update to version 8.5.6 or later. 4. Verify the update completes successfully.

🔧 Temporary Workarounds

Disable the plugin

all

Temporarily deactivate the vulnerable plugin to prevent exploitation.

wp plugin deactivate wp-cart-for-digital-products

Apply input sanitization filter

all

Add custom code to sanitize the affected parameter in WordPress functions.

Add filter in theme's functions.php: add_filter('preprocess_input', 'sanitize_text_field');

🧯 If You Can't Patch

  • Implement a Web Application Firewall (WAF) to block XSS payloads.
  • Educate users to avoid clicking suspicious links and use browser security extensions.

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in WordPress admin under Plugins > Installed Plugins; if version is below 8.5.6, it is vulnerable.

Check Version:

wp plugin get wp-cart-for-digital-products --field=version

Verify Fix Applied:

After updating, confirm the plugin version is 8.5.6 or higher in the same location.

📡 Detection & Monitoring

Log Indicators:

  • Unusual GET requests with script tags or encoded payloads in query parameters to plugin pages.

Network Indicators:

  • HTTP requests containing malicious script injections (e.g., <script>alert()</script>) targeting the plugin.

SIEM Query:

source="web_logs" AND uri="*wp-cart-for-digital-products*" AND (query="*<script>*" OR query="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-6133
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: August 12, 2024
Last Updated: May 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6133, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)