WordPress Plugin Vulnerabilities

Post Grid and Gutenberg Blocks < 2.2.93 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

Affects Plugins

Plugin icon
post-grid
Fixed in 2.2.93

References

CVE
CVE-2024-9645
URL
https://research.cleantalk.org/cve-2024-9645/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/
Verified
Yes
WPVDB ID
cfd6db83-5e7f-4631-87c3-fdcd4c64c4fe

Timeline

Publicly Published
2024-09-09 (about 1 year ago)
Added
2025-01-14 (about 1 year ago)
Last Updated
2025-01-14 (about 1 year ago)

Other

Published
Title
Published
2025-03-26
Title
jAlbum Bridge < 2.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-27
Title
Awesome Event Booking < 2.7.2 - Reflected Cross-Site Scripting
Published
2025-04-01
Title
CGM Event Calendar <= 0.8.5 - Reflected Cross-Site Scripting
Published
2024-05-23
Title
Spectra < 2.13.1 - Author+ Stored XSS
Published
2016-07-27
Title
WP Google Map Plugin < 3.1.2 - XSS