Getwid Vulnerability – Gutenberg Blocks – Authenticated DOM-Based Stored Cross-Site Scripting via ‘Countdown’ – CVE-2024-3588 | WordPress Plugin Vulnerability Report 

Plugin Name: Getwid – Gutenberg Blocks

Key Information:

  • Software Type: Plugin
  • Software Slug: getwid
  • Software Status: Active
  • Software Author: jetmonsters
  • Software Downloads: 1,173,120
  • Active Installs: 60,000
  • Last Updated: May 10, 2024
  • Patched Versions: 2.0.8
  • Affected Versions: <= 2.0.7

Vulnerability Details:

  • Name: Getwid – Gutenberg Blocks <= 2.0.7
  • Title: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'Countdown'
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3588
  • CVSS Score: 6.4
  • Publicly Published: April 26, 2024
  • Researcher: Webbernaut
  • Description: The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block in all versions up to, and including, 2.0.7 due to insufficient input sanitization and output escaping on user-supplied attributes. This vulnerability allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page.

Summary:

The Getwid – Gutenberg Blocks plugin for WordPress has a vulnerability in versions up to and including 2.0.7 that exposes it to stored cross-site scripting (XSS) via the Countdown block. This critical security flaw has been addressed in version 2.0.8.

Detailed Overview:

Discovered by the researcher Webbernaut, this significant vulnerability arises due to inadequate input sanitization and output escaping mechanisms within the Countdown block of the Getwid – Gutenberg Blocks plugin. Attackers with at least contributor-level access can exploit this flaw to embed malicious scripts into WordPress pages. When these pages are viewed by other users, the malicious scripts execute, potentially leading to unauthorized data access, session hijacking, or redirecting visitors to malicious websites. The developers have addressed this vulnerability in the newly released patch, version 2.0.8, enhancing the security measures related to data handling and script execution.

Advice for Users:

  • Immediate Action: Update to version 2.0.8 immediately to close the security loophole.
  • Check for Signs of Vulnerability: Review your site's pages for any unusual or unauthorized script insertions, especially within the Countdown block.
  • Alternate Plugins: Consider exploring alternative Gutenberg block plugins that maintain a strong security track record as a precaution.
  • Stay Updated: Regularly update your WordPress plugins to their latest versions to protect against known vulnerabilities and ensure enhanced security features are in place.

Conclusion:

The quick response by the developers of the Getwid – Gutenberg Blocks plugin to correct this stored XSS vulnerability underscores the importance of timely software updates in maintaining website security. Users are advised to update their installations to version 2.0.8 or later to safeguard their WordPress sites from potential exploits linked to earlier versions of this plugin.

References:

Detailed Report: 

In today’s fast-evolving digital landscape, keeping your website up-to-date is not just a matter of accessing new features; it is crucial for ensuring security. The recent discovery of a significant vulnerability in the Getwid – Gutenberg Blocks plugin, which is used by over 60,000 WordPress sites, brings to light the critical need for regular updates. This vulnerability, identified as CVE-2024-3588, involves a DOM-based stored cross-site scripting issue within the plugin’s Countdown block, affecting versions up to and including 2.0.7. Such vulnerabilities can allow attackers with contributor-level access to inject harmful scripts that execute on user devices, leading to potential data breaches or other security incidents. As we explore the implications of this vulnerability, remember that the health of your website hinges on proactive security practices, including timely updates. For those feeling overwhelmed by the complexity of website security, this post aims to clarify the risks and provide straightforward advice on safeguarding your WordPress site.

Risks and Potential Impacts:

The vulnerability poses significant risks, particularly because it enables the execution of arbitrary scripts that can manipulate user sessions and extract sensitive information. For small business owners, such a breach can lead to loss of customer trust, potential legal repercussions, and financial damage. It is especially critical for sites that handle sensitive user data to address these vulnerabilities promptly.

How to Remediate the Vulnerability:

  • Immediate Action: Update the Getwid – Gutenberg Blocks plugin to the latest version (2.0.8), which contains the fix for the vulnerability.
  • Check for Signs of Vulnerability: Examine your website for unusual content additions, especially in areas utilizing the Countdown block.
  • Regular Monitoring and Updates: Keep all software on your site, including plugins and themes, updated. Consider setting automatic updates for critical components.
  • Security Best Practices: Employ comprehensive security solutions like web application firewalls (WAFs) and regular security audits to detect and mitigate threats.

Overview of Previous Vulnerabilities:

Prior to this incident, there have been six other documented vulnerabilities in the Getwid – Gutenberg Blocks plugin since its inception. This history underscores the importance of ongoing vigilance and regular updates to protect against emerging threats.

Conclusion:

The prompt resolution of the vulnerability in Getwid – Gutenberg Blocks by its developers is a reminder of the importance of maintaining current updates and monitoring for new security advisories. For small business owners managing a WordPress website, it is crucial to adopt a proactive approach to security. Staying informed and responsive to updates is not just about protecting your own data but also safeguarding your customers and your business reputation. In the digital world, the best defense is a good offense, which starts with regular updates and informed security practices.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Getwid Vulnerability – Gutenberg Blocks – Authenticated DOM-Based Stored Cross-Site Scripting via ‘Countdown’ – CVE-2024-3588 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment