Gutenberg Blocks by Kadence Blocks < 3.2.37 – Contributor+ Stored XSS | CVE 2024-4057 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

Add a Lottie Animation block to a post and put the following payload in the "Lottie Animation URL" option of the block: https://lottie.host/9a802a6b-8684-423f-9eb3-c88be9caa335/QuOMXrIn7t.lottie" onmouseover=alert(/XSS/)//


The XSS will be triggered when any user will (pre)view the post and move the mouse over the generated image

Affects Plugins

Fixed in 3.2.37

References

CVE

URL

https://research.cleantalk.org/cve-2024-4057/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

da4d4d87-07b3-4f7d-bcbd-d29968a30b4f

Timeline

Publicly Published

2024-05-14 (about 1 months ago)

Added

2024-05-14 (about 1 months ago)

Last Updated

2024-05-14 (about 1 months ago)

Other

Published

Title

Published

2024-04-05

Title

Icegram Express < 5.7.16 - Authenticated (Administrator+) Cross-Site Scripting via CSV import

Published

2024-01-12

Title

WooCommerce < 8.4.0 - Reflected Cross-Site Scripting

Published

2022-10-29

Title

Glossary <= 3.1.2 - Contributor+ Stored XSS

Published

2020-08-17

Title

Easy Media Download < 1.1.5 - Authenticated Stored Cross-Site Scripting

Published

2023-07-17

Title

Chat Button < 1.8.10 - Admin+ Stored XSS