Essential Blocks Vulnerability – Page Builder Gutenberg Blocks, Patterns & Templates – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-2255 |WordPress Plugin Vulnerability Report
Plugin Name: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Key Information:
- Software Type: Plugin
- Software Slug: essential-blocks
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 2,747,397
- Active Installs: 100,000
- Last Updated: March 19, 2024
- Patched Versions: 4.5.4
- Affected Versions: <= 4.5.2
Vulnerability Details:
- Name: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.5.3
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2255
- CVSS Score: 6.4
- Publicly Published: March 19, 2024
- Researcher: wesley
- Description: The plugin is vulnerable to Stored Cross-Site Scripting via its widgets due to insufficient input sanitization and output escaping on user-supplied attributes such as listStyle. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages, which execute whenever a user accesses an injected page.
Summary:
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress has a vulnerability in versions up to and including 4.5.2 that allows for stored cross-site scripting through insufficient input sanitization and output escaping. This vulnerability has been patched in version 4.5.4.
Detailed Overview:
The vulnerability, identified by researcher Wesley, exists within the plugin's widgets and arises from inadequate sanitization of user inputs and escaping of outputs. This flaw enables authenticated users with at least contributor-level access to inject malicious scripts into web pages via the plugin. Such scripts can then be executed by unsuspecting users who view the compromised content. The risk posed by this vulnerability includes unauthorized access to user data and potential control over affected WordPress sites. Remediation has been addressed in the patched version 4.5.4 of the plugin.
Advice for Users:
- Immediate Action: Users should update to the patched version 4.5.4 immediately.
- Check for Signs of Vulnerability: Monitor your website for any unusual activity or unauthorized content additions.
- Alternate Plugins: Consider using alternative plugins offering similar functionalities as a precaution.
- Stay Updated: Regularly update all plugins to their latest versions to mitigate vulnerabilities.
Conclusion:
The swift action by the plugin developers to release a patch for this vulnerability highlights the critical nature of maintaining updated software. To ensure the security of WordPress installations, users must upgrade to version 4.5.4 or later.