WordPress Plugin Vulnerabilities

Getwid – Gutenberg Blocks < 2.0.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template-post-custom-field` block in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
getwid
Fixed in 2.0.13

References

CVE
CVE-2024-10872
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ae0030f-af21-43fb-959a-8da04cab05bb

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
489fab91-f097-4a6a-9ecd-d9b8a6c39622

Timeline

Publicly Published
2024-11-19 (about 1 year ago)
Added
2024-11-19 (about 1 year ago)
Last Updated
2024-11-20 (about 1 year ago)

Other

Published
Title
Published
2026-02-05
Title
Docus < 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2015-07-29
Title
qTranslate <= 2.5.39 - Cross-Site Scripting (XSS)
Published
2023-03-21
Title
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.1 - Reflected Cross-Site Scripting
Published
2020-07-09
Title
Powie's WHOIS Domain Check < 0.9.33 - Authenticated Stored Cross-Site Scripting
Published
2026-02-13
Title
Citations tools <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'code' Shortcode Attribute