Otter Blocks PRO < 2.6.4 – Authenticated(Contributor+) Stored Cross-Site Scripting via File Field CSS | CVE 2024-1684 | Plugin Vulnerabilities

Description

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form file field CSS metabox in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 2.6.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/934bf839-152d-4d10-9ac8-c64cf042dc18

Classification

Type

CROSS FRAME SCRIPTING

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

64c11f13-bca2-43c8-83da-bd4effc7c8e8

Timeline

Publicly Published

2024-03-06 (about 2 years ago)

Added

2024-03-06 (about 2 years ago)

Last Updated

2024-03-06 (about 2 years ago)

Other

Published

Title

Published

2025-05-02

Title

Subpage List <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-04-30

Title

Cost Calculator Builder Pro < 3.1.68 - Unauthenticated Cross-Site Scripting via SVG Upload

Published

2024-01-29

Title

Order Delivery Date for WP e-Commerce <= 1.2 - Unauthenticated Stored Cross-Site Scripting

Published

2025-10-23

Title

Multi Item Responsive Slider <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-02-29

Title

Booking for Appointments and Events Calendar – Amelia < 1.0.99 - Reflected Cross-Site Scripting