Blocksy Companion Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Uploads – CVE-2024-4487 | WordPress Plugin Vulnerability Report

Plugin Name: Blocksy Companion

Key Information:

  • Software Type: Plugin
  • Software Slug: blocksy-companion
  • Software Status: Active
  • Software Author: creativethemeshq
  • Software Downloads: 7,639,072
  • Active Installs: 200,000
  • Last Updated: May 10, 2024
  • Patched Versions: 2.0.46
  • Affected Versions: <= 2.0.45

Vulnerability Details:

  • Name: Blocksy Companion <= 2.0.45 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Uploads
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-4487
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 10, 2024
  • Researcher: wesley (wcraft)
  • Description: The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in versions up to, and including, 2.0.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Blocksy Companion plugin for WordPress has a vulnerability in versions up to and including 2.0.45 that allows authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts via SVG uploads due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 2.0.46.

Detailed Overview:

The vulnerability was discovered by security researcher wesley (wcraft) and publicly disclosed on May 10, 2024. It is a Stored Cross-Site Scripting (XSS) vulnerability that stems from insufficient input sanitization and output escaping when handling SVG uploads. Attackers with contributor-level permissions or higher can exploit this vulnerability to inject malicious scripts that execute whenever a user visits an affected page, potentially leading to session hijacking, data theft, or other malicious activities.

Advice for Users:

  1. Immediate Action: Update the Blocksy Companion plugin to version 2.0.46 or later to ensure protection against this vulnerability.
  2. Check for Signs of Vulnerability: Review your WordPress site for any suspicious or unauthorized content that may indicate a possible compromise.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the Blocksy Companion developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.0.46 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/blocksy-companion

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/blocksy-companion/blocksy-companion-2045-authenticated-contributor-stored-cross-site-scripting-via-svg-uploads

Detailed Report:

 

As a website owner, ensuring the security and integrity of your site should always be a top priority. Recently, a vulnerability was discovered in the popular Blocksy Companion plugin for WordPress, which could potentially put your site at risk. In this blog post, we'll discuss the importance of keeping your WordPress site up to date, the specific security risk posed by this vulnerability, and how you can take action to protect your website.

The Blocksy Companion Plugin

Blocksy Companion is a popular WordPress plugin that extends the functionality of the Blocksy theme, providing additional features and customization options. The plugin has been downloaded over 7.6 million times and is currently active on more than 200,000 websites. It was last updated on May 10, 2024.

The Vulnerability: CVE-2024-4487

On May 10, 2024, security researcher wesley (wcraft) publicly disclosed a vulnerability in the Blocksy Companion plugin. The vulnerability, identified as CVE-2024-4487, is a Stored Cross-Site Scripting (XSS) issue that stems from insufficient input sanitization and output escaping when handling SVG uploads. This vulnerability affects versions of the plugin up to and including 2.0.45.

Risks and Potential Impacts

The Blocksy Companion plugin vulnerability allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into pages via SVG uploads. When a user visits an affected page, these scripts can execute, potentially leading to session hijacking, data theft, or other malicious activities. This vulnerability has a CVSS score of 6.4, which is considered a medium severity.

How to Remediate the Vulnerability

To protect your website from this vulnerability, it is crucial to update the Blocksy Companion plugin to version 2.0.46 or later. This version includes a patch that addresses the XSS vulnerability. If you're unsure about the update process or concerned about the security of your website, consider seeking assistance from a professional WordPress security service provider.

Previous Vulnerabilities

It's worth noting that the Blocksy Companion plugin has had five previous vulnerabilities reported since March 2022. This underscores the importance of regularly monitoring and updating your WordPress plugins to ensure the ongoing security of your website.

The Importance of Staying Vigilant

As a small business owner with a WordPress website, it can be challenging to find the time to stay on top of security vulnerabilities. However, the consequences of neglecting website security can be severe, ranging from data breaches and financial losses to damage to your brand's reputation. By regularly updating your WordPress plugins, themes, and core installation, and partnering with a reliable website security provider, you can significantly reduce the risk of falling victim to cyber threats.

Don't wait until it's too late – take action now to protect your website and your users' data. Regularly monitor your site for signs of compromise, and consider implementing additional security measures such as two-factor authentication, strong passwords, and regular backups. By prioritizing website security, you can focus on growing your business with peace of mind, knowing that your online presence is secure.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Blocksy Companion Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Uploads – CVE-2024-4487 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment