Themes Vulnerabilities

Blocksy < 2.0.34 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

Affects Themes

blocksy
Fixed in 2.0.34

References

CVE
CVE-2024-32961
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/030ec6bb-f19d-4145-b3fb-bd647c154666

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Joshua Chan
Verified
No
WPVDB ID
b12a1ce7-bfcd-4ff3-8523-fab207910287

Timeline

Publicly Published
2024-04-23 (about 1 year ago)
Added
2024-05-03 (about 1 year ago)
Last Updated
2024-05-03 (about 1 year ago)

Other

Published
Title
Published
2023-01-18
Title
Better Font Awesome < 2.0.4 - Contributor+ Stored XSS
Published
2014-04-25
Title
WP Planet <= 0.1 - Unauthenticated Reflected XSS
Published
2024-04-11
Title
Advanced iFrame < 2024.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2021-07-14
Title
Current Book <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2024-05-31
Title
Widget Bundle <= 2.0.0 - Unauthencated Reflected XSS