WordPress Plugin Vulnerabilities

Stackable – Page Builder Gutenberg Blocks < 3.13.7 - Unauthenticated CSS Injection

Description

The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users.

Affects Plugins

Plugin icon
stackable-ultimate-gutenberg-blocks
Fixed in 3.13.7

References

CVE
CVE-2024-8760
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1fd0b13c-7447-45da-9608-80b7629d9bbf

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
48573c6a-a545-4906-8734-673fa44633cd

Timeline

Publicly Published
2024-10-11 (about 1 year ago)
Added
2024-10-11 (about 1 year ago)
Last Updated
2024-10-12 (about 1 year ago)

Other

Published
Title
Published
2025-02-28
Title
Authors List < 2.0.6.1 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-08-23
Title
Image Hotspot by DevVN < 1.2.6 - Authenticated (Author+) PHP Object Injection
Published
2014-08-01
Title
DZS Video Gallery - ajax.php source Parameter Reflected XSS
Published
2025-12-02
Title
Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form
Published
2025-07-10
Title
GB Forms DB < 1.0.3 - Unauthenticated Remote Code Execution