What is CVE-2024-6828?

CVE-2024-6828 is tracked as a Remote Code Execution issue affecting the Plugin Redux Framework.

Which Redux Framework versions are affected?

The primary affected range is 4.4.12 through 4.4.17.

How should operators remediate CVE-2024-6828?

Update to 4.4.18 or newer where that release is compatible with the site.

Vulnerability Report

Plugin High Patch path listed CVE-2024-6828

Redux Framework 4.4.12 - 4.4.17 - Unauthenticated JSON File Upload to Stored Cross-Site Scripting

The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution.

Quick Answer

CVE-2024-6828 is a high severity with CVSS 7.2 Remote Code Execution issue affecting the Plugin Redux Framework. It affects 4.4.12 through 4.4.17 and is fixed in 4.4.18.

Back to Feed View Plugin Hub Open CVE Reference

Published

Jul 22, 2024

Last Updated

Sep 05, 2024

Slug

redux-framework

Risk Profile

7.2 CVSS Score

Weakness

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Researchers

villu164

Operational Summary

What the operator needs to know

Share Email

Patch Status

Patched release is available

Remediation

Update to version 4.4.18, or a newer patched version

Operator Briefing

CVE-2024-6828 is tracked for the Plugin Redux Framework as high severity with CVSS 7.2. The affected range is 4.4.12 through 4.4.17. Update Redux Framework to 4.4.18 or newer where that version is compatible with the site.

Issue Type

Remote Code Execution

Primary Fixed Version

4.4.18

Primary Affected Range

4.4.12 through 4.4.17

Tracking ID

CVE-2024-6828

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/18a37063-31aa-4b1f-b1a5-1ea921a20686?source=api-prod

Detailed Metadata

Software Type	Plugin
Software Slug	redux-framework View on wordpress.org
CVE	CVE-2024-6828
Patched Versions	4.4.18
Affected Versions	4.4.12 through 4.4.17

Related CVE Cluster

Related CVEs for Redux Framework

These internal links group the same WordPress plugin by CVE, issue type, severity, and patch status so operators and search engines can connect the full vulnerability cluster.

High CVE-2021-38312 4.2.13 Sep 01, 2021

CVE-2021-38312 Redux Framework Vulnerability

Gutenberg Template Library & Redux Framework <= 4.2.1 - Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion

Medium CVE-2025-9488 4.5.9 Dec 12, 2025

CVE-2025-9488 Redux Framework Stored Cross-Site Scripting

Redux Framework <= 4.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via data Parameter

Medium CVE-2021-38314 4.2.13 Sep 01, 2021

CVE-2021-38314 Redux Framework Vulnerability

Gutenberg Template Library & Redux Framework <= 4.2.11 - Missing Authorization to Sensitive Information Disclosure

High 4.1.21 Nov 23, 2020

Redux Framework Cross-Site Request Forgery

Gutenberg Template and Pattern Library & Redux Framework <= 4.1.20 - Cross-Site Request Forgery

Medium 4.1.24 Dec 15, 2020

Redux Framework Cross-Site Request Forgery

Gutenberg Template Library & Redux Framework <= 4.1.23 - Cross-Site Request Forgery

Licensing Notices

This record contains material that is subject to copyright

DEFIANT

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more

MITRE

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more