CVE-2024-5646 · The Futurio Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘header_size’ attribute within the Advanced Text

01 · The Real Story

This is a graffiti marker left inside the staff break room, not a crowbar at the front door

CVE-2024-5646 is a stored XSS bug in the Futurio Extra WordPress plugin's Advanced Text Block widget. Affected versions are up to and including 2.0.5, and the fix landed in 2.0.6. The vulnerable path is the header_size attribute; an authenticated user with at least Contributor privileges can store crafted script-bearing content that later executes when the poisoned page is rendered.

The vendor's 6.4 / MEDIUM score overstates operational urgency for most enterprises. The decisive friction is that this is not unauthenticated remote, and in practice it also needs a victim page view to cash out the XSS, which lines up better with NVD's UI:R 5.4 interpretation than the CNA's UI:N 6.4. For a 10,000-host patch queue, this belongs behind pre-auth and actively exploited web flaws.

"This is a post-auth WordPress XSS with narrow reach, not a fleet-wide fire drill."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Enumerate plugin presence and version with WPScan or passive fingerprinting

The attacker first confirms that the target WordPress site uses the futurio-extra plugin and is on a vulnerable release such as 2.0.5 or older. In practice this is done with WPScan, plugin asset paths, readme leaks, or direct observation of theme/plugin behavior tied to Futurio.

Conditions required:

Target runs WordPress
Target uses the Futurio/Futurio Storefront ecosystem with the Futurio Extra plugin installed
Version is <= 2.0.5

Where this breaks in practice:

The plugin is only relevant on a subset of WordPress estates, not the internet at large
Some sites suppress version leakage and plugin enumeration
WordPress.org shows only 20,000+ active installs, which is meaningful but not mass-market at the scale of top plugins

Detection/coverage: Good version-based coverage from WordPress-focused scanners and asset inventory if you track plugin versions; poor generic network-scanner coverage because this is an application/plugin issue, not a service banner issue.

STEP 02

Gain Contributor+ access using valid credentials

The attacker must authenticate to WordPress with at least Contributor privileges before they can reach the vulnerable content path. Typical tooling is just the browser, Burp Suite Repeater, or scripted login with stolen or reused credentials.

Conditions required:

Valid WordPress account with Contributor, Author, Editor, or Admin role
Login reachable from the attacker's network position

Where this breaks in practice:

This is already post-initial-access for most enterprises
Many corporate WordPress sites have very few contributor accounts or restrict authorship to editors/admins
MFA, SSO, IP restrictions, and credential hygiene frequently stop this step before the vulnerability matters

Detection/coverage: Identity telemetry is your best signal here: unusual WordPress logins, impossible travel, SSO anomalies, or contributor logins from new IPs.

STEP 03

Store the payload via the Advanced Text Block widget

Once authenticated, the attacker submits a malicious header_size value through the Advanced Text Block widget path, typically using the normal editor UI or a crafted request in Burp Suite. Because sanitization/escaping is insufficient, the payload persists in page content and becomes a stored XSS foothold.

Conditions required:

User can create or edit content that uses the vulnerable widget
Site actually uses Elementor/Futurio Extra widget flow relevant to the vulnerable field

Where this breaks in practice:

Not every Contributor can touch the right content object or widget configuration in real deployments
Some editorial workflows require review before publish, delaying or blocking the payload
Content security plugins or custom hardening may strip suspicious payloads even if the plugin itself does not

Detection/coverage: Mostly weak. Traditional vuln scanners will report the version but not prove exploitability. WAFs may catch noisy payloads, but subtle stored XSS often slips through unless WordPress-specific rules or content inspection are in place.

STEP 04

Wait for an admin/editor to render the poisoned page and pivot

The payload only pays off when a privileged user loads the compromised page in a browser. At that point the script can steal nonces, perform same-origin admin actions, or modify site content; weaponization is usually done with browser-native JavaScript rather than an external exploit kit.

Conditions required:

A victim user must visit the affected page
For meaningful privilege escalation, the victim should hold higher privileges than the attacker

Where this breaks in practice:

This is the biggest downgrade factor: someone has to view the page
Blast radius is generally one WordPress site/tenant, not lateral movement across the enterprise fleet
Modern browser defenses, CSP, and careful editorial review reduce reliability

Detection/coverage: Web logs may show suspicious page edits before suspicious admin actions. EDR rarely helps unless the XSS leads to follow-on browser abuse or credential theft outside the app.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No known active exploitation evidence surfaced in the sources reviewed. CISA's ADP enrichment for the CVE records Exploitation: none and Automatable: no.
KEV status	Not in CISA KEV on the catalog page reviewed. That matters: no public government-backed evidence that this is being used at scale.
Proof-of-concept availability	No public weaponized GitHub PoC stood out in web results reviewed. That said, this is a straightforward stored XSS and does not require sophisticated exploit development once an attacker already has Contributor access.
EPSS	0.0036 per the intel you supplied, which is roughly 0.36% probability over 30 days; third-party mirrors place it around the 57th percentile. Low enough that it should not jump ahead of pre-auth web bugs.
CVSS disagreement	Wordfence/CNA: 6.4, UI:N versus NVD: 5.4, UI:R. Reality is closer to NVD here because a victim still has to load the poisoned page for the script to execute.
Affected versions	Futurio Extra <= 2.0.5. The vulnerable component is the Advanced Text Block widget's `header_size` attribute.
Fixed version	2.0.6 is the first patched release; the plugin changelog explicitly marks 2.0.6 as containing security fixes and updates.
Exposure population	WordPress.org lists 20,000+ active installs and Wordfence lists roughly 746,488 downloads. Public internet search engines like Shodan/Censys are not a useful exposure proxy here because this is a WordPress plugin-level condition, not a directly fingerprintable network service.
Disclosure	Published 2024-06-11. The researcher credited by Wordfence is wesley (wcraft).
Detection and preventive coverage	Wordfence's weekly report says it shipped real-time WAF protection for Premium/Care/Response customers. Everyone else is mostly relying on version inventory and content review, which is why this is better handled as patch hygiene than emergency response.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.9/10)

The single biggest downgrade factor is the attacker position requirement: this bug starts at authenticated Contributor access, which already implies prior compromise or a permissive editorial model. On top of that, the XSS still needs a victim page view to produce impact, so this is a narrow post-auth abuse path rather than an internet-scale entry point.

HIGH Affected version range and fixed version

HIGH Requirement for authenticated Contributor+ access

MEDIUM Real-world severity downgrade driven by practical user-interaction dependence

Why this verdict

Post-auth only: the attacker needs a valid WordPress account with at least Contributor privileges, which is a material downgrade from any unauthenticated internet-facing flaw.
Victim view required in practice: despite the CNA's UI:N vector, stored XSS still needs someone to render the compromised page; that makes NVD's UI:R interpretation closer to real operational risk.
Narrow blast radius: successful exploitation compromises one WordPress site context, not the broader host fleet, and usually only after editorial workflow conditions line up.

Why not higher?

There is no KEV listing, no active exploitation evidence in the reviewed sources, and no unauthenticated path. The attack chain compounds friction at every stage: plugin presence, vulnerable version, valid Contributor credentials, use of the affected widget path, and a victim page render.

Why not lower?

This is still a stored XSS, not a cosmetic bug. If the site uses contributor workflows heavily and an admin/editor regularly previews or edits affected pages, the bug can become a credible privilege-pivot inside that specific WordPress tenant.

05 · Compensating Control

What to do — in priority order.

Restrict Contributor logins — If you cannot patch immediately in your normal maintenance flow, reduce the reachable population by trimming unused Contributor/Author accounts, enforcing SSO/MFA, and disabling direct local logins where possible. For a LOW verdict there is no SLA; treat this as backlog hygiene and complete it during routine identity cleanup.
Review pages using Futurio widgets — Search published and draft content for pages built with the Futurio Extra Advanced Text Block widget and spot-check suspicious custom values or unexpected script-bearing markup. This is a targeted way to cut risk while you wait for the normal plugin update cycle; for LOW, do it in the next content-security review window.
Apply WordPress WAF rules — Use WordPress-aware WAF coverage or plugin-security tooling that can block common XSS payload patterns and flag suspicious post edits. This is not a substitute for upgrading, but it lowers exploit reliability while the issue sits in the backlog.
Upgrade to 2.0.6 or later — Move affected sites off <= 2.0.5 during your next planned WordPress/plugin patch cycle. For a LOW verdict, this is routine remediation rather than an outage-worthy emergency change.

What doesn't work

A network firewall does not solve this; the malicious content is delivered through normal authenticated WordPress use over standard web traffic.
Relying on generic perimeter scanning is weak coverage; scanners may identify the plugin version but usually will not tell you whether the vulnerable widget path is actually reachable to Contributor users.
Endpoint AV on the server is not the right control for a stored XSS in application content; the exploit lives in page data and executes in a browser session.

06 · Verification

Crowdsourced verification payload.

Run this on the WordPress host with read access to the site's filesystem. Invoke it as bash check_futurio_extra_cve_2024_5646.sh /var/www/html or point it directly at the plugin directory; no root is required if you can read wp-content/plugins/futurio-extra.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_futurio_extra_cve_2024_5646.sh
# Detects whether Futurio Extra is vulnerable to CVE-2024-5646.
# Usage: bash check_futurio_extra_cve_2024_5646.sh /path/to/wordpress_or_plugin_dir
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET="${1:-}"
if [[ -z "$TARGET" ]]; then
  echo "UNKNOWN: missing argument. Usage: $0 /path/to/wordpress_or_plugin_dir"
  exit 2
fi

PLUGIN_DIR=""
if [[ -d "$TARGET/wp-content/plugins/futurio-extra" ]]; then
  PLUGIN_DIR="$TARGET/wp-content/plugins/futurio-extra"
elif [[ -d "$TARGET/futurio-extra" ]]; then
  PLUGIN_DIR="$TARGET/futurio-extra"
elif [[ -d "$TARGET" && -f "$TARGET/futurio-extra.php" ]]; then
  PLUGIN_DIR="$TARGET"
else
  echo "UNKNOWN: Futurio Extra plugin directory not found under target '$TARGET'"
  exit 2
fi

MAIN_FILE="$PLUGIN_DIR/futurio-extra.php"
README_FILE="$PLUGIN_DIR/readme.txt"
VERSION=""

if [[ -f "$MAIN_FILE" ]]; then
  VERSION=$(awk -F': ' 'BEGIN{IGNORECASE=1} /^Version:[[:space:]]*/ {gsub(/\r/, "", $2); print $2; exit}' "$MAIN_FILE")
fi

if [[ -z "$VERSION" && -f "$README_FILE" ]]; then
  VERSION=$(awk -F': ' 'BEGIN{IGNORECASE=1} /^Stable tag:[[:space:]]*/ {gsub(/\r/, "", $2); print $2; exit}' "$README_FILE")
fi

if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN: could not determine Futurio Extra version from $PLUGIN_DIR"
  exit 2
fi

verlte() {
  # returns success if $1 <= $2 using sort -V
  [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" == "$1" ]]
}

if verlte "$VERSION" "2.0.5"; then
  echo "VULNERABLE: Futurio Extra version $VERSION detected at $PLUGIN_DIR (affected: <= 2.0.5)"
  exit 1
fi

if [[ -d "$PLUGIN_DIR" ]]; then
  echo "PATCHED: Futurio Extra version $VERSION detected at $PLUGIN_DIR (fixed: >= 2.0.6)"
  exit 0
fi

echo "UNKNOWN: unexpected state while checking $PLUGIN_DIR"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: find every WordPress site running Futurio Extra <= 2.0.5, confirm whether those sites even permit Contributor accounts, and then roll the plugin to 2.0.6+ in your next normal CMS maintenance batch. Because this is a LOW verdict, there is no noisgate mitigation SLA and no noisgate remediation SLA; treat it as backlog hygiene, but document exceptions where external contributors can edit Elementor-backed content because those sites are the only ones where this bug becomes tactically interesting.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.