Gutenberg Blocks by Kadence Blocks Vulnerability – Page Builder Features – Multiple Vulnerabilities – CVE-2024-0598 & CVE-2024-2919 | WordPress Plugin Vulnerability Report
Plugin Name: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Key Information:
- Software Type: Plugin
- Software Slug: kadence-blocks
- Software Status: Active
- Software Author: britner
- Software Downloads: 17,837,802
- Active Installs: 400,000
- Last Updated: April 3, 2024
- Patched Versions: 3.2.18
- Affected Versions: <= 3.2.17 for CVE-2024-0598 and <= 3.2.31 for CVE-2024-2919
Vulnerability 1 Details:
- Name: Gutenberg Blocks by Kadence Blocks <= 3.2.17
- Title: Authenticated (Editor+) Stored Cross-Site Scripting via Contact Form Message Settings
- Type: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-0598
- CVSS Score: 4.4
- Publicly Published: April 2, 2024
- Researcher: Akbar Kustirama
- Description: This vulnerability in the plugin allows authenticated attackers with editor-level access to inject arbitrary web scripts via the contact form message settings. It primarily affects multi-site installations or those where unfiltered_html is disabled.
Vulnerability 2 Details:
- Name: Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.31
- Title: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Countdown and CountUp Widget
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2919
- CVSS Score: 6.4
- Publicly Published: April 3, 2024
- Researcher: Webbernaut
- Description: This vulnerability stems from insufficient sanitization and escaping of user-supplied attributes in the Countdown and CountUp Widget, enabling authenticated attackers with contributor-level access to execute arbitrary web scripts.
Summary:
The "Gutenberg Blocks by Kadence Blocks – Page Builder Features" plugin for WordPress has encountered significant security issues, notably in versions up to and including 3.2.17 and 3.2.31, for two different vulnerabilities. These flaws allowed authenticated attackers to execute Stored Cross-Site Scripting attacks through various plugin features. The developers have addressed these issues in the version 3.2.18.
Detailed Overview:
Both vulnerabilities discovered by Akbar Kustirama and Webbernaut present significant security concerns, particularly for multi-site installations or those with specific configurations. The vulnerabilities could potentially allow attackers to execute malicious scripts, compromising site integrity and user security. The prompt patching of these vulnerabilities in version 3.2.18 reflects a critical step towards securing affected WordPress installations.
Advice for Users:
- Immediate Action: Update the plugin to version 3.2.18 without delay.
- Check for Signs of Vulnerability: Monitor your site for unexpected changes or content, which may indicate a compromise.
- Alternate Plugins: Consider using alternative plugins with similar functionality as an additional precaution.
- Stay Updated: Regularly update all your WordPress plugins and core to safeguard against known vulnerabilities.
Conclusion:
The swift action taken by the developers of "Gutenberg Blocks by Kadence Blocks – Page Builder Features" to patch these vulnerabilities highlights the critical nature of regular software updates in maintaining site security. Users are urged to upgrade to version 3.2.18 or later to protect their WordPress installations from these and other potential security threats.
References:
Detailed Report:
In an era where digital presence is paramount, the security of your website serves as the cornerstone of trust and reliability for your visitors and customers. The recent uncovering of vulnerabilities within the "Gutenberg Blocks by Kadence Blocks – Page Builder Features" plugin for WordPress is a potent reminder of the ever-present cyber threats looming over digital spaces. Identified as CVE-2024-0598 and CVE-2024-2919, these vulnerabilities expose the thin line between a secure website and a potential cyber disaster, underscoring the critical need for constant vigilance and timely updates in maintaining website security.
Plugin Overview:
"Gutenberg Blocks by Kadence Blocks – Page Builder Features" is a popular WordPress plugin developed by britner, boasting over 400,000 active installations. The plugin, designed to enhance the functionality and design of WordPress sites, recently came under scrutiny when vulnerabilities were detected in versions up to and including 3.2.17 and 3.2.31. With a wide user base and substantial downloads totaling 17,837,802, the impact scope is significant, emphasizing the importance of addressing these security concerns promptly.
Vulnerability Insights:
The first vulnerability, CVE-2024-0598, allows authenticated users with editor-level access or higher to exploit Stored Cross-Site Scripting (XSS) through the plugin's contact form message settings. This flaw primarily affects multi-site installations or instances where the unfiltered_html capability is disabled. The second vulnerability, CVE-2024-2919, also involves Stored XSS but through the Countdown and CountUp Widget, allowing attackers with contributor-level access to inject malicious scripts. Both vulnerabilities stem from insufficient input sanitization and output escaping, creating a gateway for unauthorized script execution.
Risks and Impacts:
The exploitation of these vulnerabilities can lead to severe consequences, including unauthorized data access, website defacement, and the spread of malware to unsuspecting visitors. For small business owners, such breaches not only endanger user data but also tarnish the business's reputation and trustworthiness, potentially leading to irreversible damage.
Remediation Steps:
In response to these vulnerabilities, the developers released a patched version, 3.2.18, effectively neutralizing the threats posed by these security flaws. Users of the plugin are strongly encouraged to update to this latest version immediately to safeguard their sites. Additionally, regular monitoring for unusual site activities and content changes is advised to detect potential compromises.
Historical Context:
It's noteworthy that this isn't the plugin's first encounter with security vulnerabilities; four previous issues have been reported since August 9, 2023. This pattern highlights the ongoing challenge of software security and the necessity for continuous attention to updates and patches.
Conclusion:
For small business owners juggling myriad responsibilities, staying atop security updates can seem daunting. However, the consequences of neglecting website security can be far more burdensome. Implementing regular maintenance schedules, utilizing automated update features, and subscribing to security advisories can significantly reduce the risk of vulnerabilities, ensuring your website remains a secure and reliable resource for your audience. In the digital age, proactive security practices are not just beneficial; they are indispensable for safeguarding your digital storefront against the ever-evolving landscape of cyber threats.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.