WordPress Plugin Vulnerabilities

Essential Blocks for Gutenberg < 4.5.4 - Contributor+ Stored Cross-Site Scripting

Description

The plugin is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
essential-blocks
Fixed in 4.5.4

References

CVE
CVE-2024-31306
URL
https://patchstack.com/database/vulnerability/essential-blocks/wordpress-essential-blocks-plugin-4-5-3-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Ngô Thiên An (ancorn_)
Verified
No
WPVDB ID
ece1c296-86fc-41b7-a66c-25f3ce632e64

Timeline

Publicly Published
2024-04-05 (about 2 years ago)
Added
2024-04-12 (about 2 years ago)
Last Updated
2024-04-12 (about 2 years ago)

Other

Published
Title
Published
2014-10-15
Title
Cforms < 10.2 - XSS
Published
2024-04-05
Title
Gradient Text Widget for Elementor <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-09-23
Title
Confetti Fall Animation <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via confetti-fall-animation Shortcode
Published
2019-10-23
Title
Groundhogg < 2.0.9.11 - Authenticated Reflected XSS
Published
2023-05-25
Title
WooCommerce Product Categories Selection Widget <= 2.0 - Reflected XSS