WordPress Plugin Vulnerabilities

Arkhe Blocks < 2.27.0 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
arkhe-blocks
Fixed in 2.27.0

References

CVE
CVE-2024-49261
URL
https://patchstack.com/database/vulnerability/arkhe-blocks/wordpress-arkhe-blocks-plugin-2-23-0-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
João Pedro Soares de Alcântara
Verified
No
WPVDB ID
ec085e56-1a90-43ba-81ed-ff6cf2715486

Timeline

Publicly Published
2024-10-14 (about 1 year ago)
Added
2024-10-18 (about 1 year ago)
Last Updated
2024-11-14 (about 1 year ago)

Other

Published
Title
Published
2024-06-05
Title
Recurring PayPal Donations < 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-05-19
Title
Xpro Addons For Beaver Builder – Lite < 1.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-02-06
Title
Responsive Image Gallery, Gallery Album < 2.0.2 - Reflected XSS
Published
2019-07-16
Title
Coming Soon Page & Maintenance Mode < 1.8.2 - Unauthenticated Stored XSS
Published
2025-01-16
Title
Sale with Razorpay <= 1.0 - Reflected Cross-Site Scripting