CoBlocks < 3.1.13 – Editor+ Stored XSS | CVE 2024-7132 | Plugin Vulnerabilities

Description

The plugin does not escape the content of post embed via one of its block, which could allow users with the capability to publish posts (editor and admin by default) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

Create a post with the following payload as content and publish it: &lt;img src=x onerror=alert(1)&gt;

The XSS will be triggered when a user (such as contributor and above) will add a "Post Carousel (CoBlocks)" or " Posts (CoBlocks)" block to a Post/Page

Affects Plugins

Fixed in 3.1.13

References

CVE

URL

https://research.cleantalk.org/cve-2024-7132/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

16deb743-6fe9-43a2-9586-d92cfe1daa17

Timeline

Publicly Published

2024-08-08 (about 1 year ago)

Added

2024-08-08 (about 1 year ago)

Last Updated

2024-08-08 (about 1 year ago)

Other

Published

Title

Published

2023-03-31

Title

Enhanced WP Contact Form <= 2.3 - Admin+ Stored XSS

Published

2024-12-19

Title

Financial Calculator <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-11-22

Title

Icegram < 2.0.5 - Reflected Cross-Site Scripting

Published

2024-08-07

Title

Lightbox & Modal Popup WordPress Plugin – FooBox < 2.7.32 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes

Published

2025-04-29

Title

Syndicate Out <= 0.9 - Unauthenticated Stored Cross-Site Scripting