WordPress Plugin Vulnerabilities

Gutenberg Blocks by Kadence Blocks < 3.2.35 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

Affects Plugins

Plugin icon
kadence-blocks
Fixed in 3.2.35

References

CVE
CVE-2024-2273
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e7fe482e-a4e8-411c-97a4-a32ccf5b3682

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Dau Hoang Tai
Verified
No
WPVDB ID
f1a40bae-f50b-4681-9124-ec097f4fa8e3

Timeline

Publicly Published
2024-05-01 (about 2 years ago)
Added
2024-05-03 (about 2 years ago)
Last Updated
2024-05-17 (about 1 year ago)

Other

Published
Title
Published
2025-01-23
Title
Listamester < 2.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-04-15
Title
WP Shortcodes Plugin — Shortcodes Ultimate < 7.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_box Shortcode
Published
2025-03-28
Title
PostX < 4.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-01
Title
Cresta Addons for Elementor < 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-15
Title
Movie Database <= 1.0.11 - Authenticated (Admin+) Stored Cross-Site Scripting