Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates < 4.5.4 – Contributor+ Stored XSS | CVE 2024-2255 | Plugin Vulnerabilities

Description

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates is vulnerable to Stored Cross-Site Scripting via the plugin's widgets due to insufficient input sanitization and output escaping on user supplied attributes such as listStyle. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

essential-blocks

Fixed in 4.5.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cfcd59ae-085f-47d2-a4d2-2d1239f035d2

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

e238aa3d-8bf3-4297-836f-ace50cbfcef0

Timeline

Publicly Published

2024-03-19 (about 2 years ago)

Added

2024-03-19 (about 2 years ago)

Last Updated

2024-03-19 (about 2 years ago)

Other

Published

Title

Published

2022-10-13

Title

Highlight Focus <= 1.1 - Admin+ Stored Cross Site Scripting

Published

2025-10-13

Title

Interactive Content – H5P < 1.16.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-08-28

Title

URL Shortener by MyThemeShop <= 1.0.17 - Reflected XSS

Published

2025-04-17

Title

Coupon Affiliates – Affiliate Plugin for WooCommerce < 6.3.1 - Reflected Cross-Site Scripting via 'commission_summary' Parameter

Published

2014-08-01

Title

Welcart e-Commerce 1.3.12 - DOM Cross-Site Scripting (XSS)