Spectra – WordPress Gutenberg Blocks < 2.12.9 – Contributor+ Stored XSS via Image Gallery Block | CVE 2024-1815 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's Image Gallery block due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

ultimate-addons-for-gutenberg

Fixed in 2.12.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1cd877e6-e000-437d-ba9f-0640350277e4

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

f388f8c7-cd6e-464c-81c8-f8959c936287

Timeline

Publicly Published

2024-05-22 (about 2 years ago)

Added

2024-05-23 (about 2 years ago)

Last Updated

2024-05-23 (about 2 years ago)

Other

Published

Title

Published

2024-06-11

Title

Events Manager – Calendar, Bookings, Tickets, and more! < 6.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via event, location, and event_category Shortcodes

Published

2024-02-15

Title

PowerPack Addons for Elementor < 2.7.16 - Contributor+ Stored Cross-Site Scripting

Published

2024-09-04

Title

Share This Image < 2.03 - Authenticated (Contributor+) Stored Cross-Site Scripting via STI Buttons Shortcode

Published

2025-10-27

Title

Master Slider Pro <= 3.7.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-11-23

Title

Extensions for Leaflet Map < 4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting