Page Builder Gutenberg Blocks – CoBlocks Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Social Profiles – CVE-2024-2933 | WordPress Plugin Vulnerability Report

Plugin Name: Page Builder Gutenberg Blocks – CoBlocks

Key Information:

  • Software Type: Plugin
  • Software Slug: coblocks
  • Software Status: Active
  • Software Author: GoDaddy
  • Software Downloads: 21,200,695
  • Active Installs: 400,000
  • Last Updated: June 12, 2024
  • Patched Versions: 3.1.10
  • Affected Versions: <= 3.1.9

Vulnerability Details:

  • Name: Page Builder Gutenberg Blocks – CoBlocks <= 3.1.9
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Social Profiles
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2933
  • CVSS Score: 6.4
  • Publicly Published: May 31, 2024
  • Researcher: Wesley
  • Description: The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Social Profiles widget in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page.

Summary:

The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress has a vulnerability in versions up to and including 3.1.9 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the Social Profiles widget. This vulnerability has been patched in version 3.1.10.

Detailed Overview:

The vulnerability lies in the Social Profiles widget of the CoBlocks plugin, where insufficient input sanitization and output escaping on user-supplied attributes create a loophole for attackers. By exploiting this vulnerability, authenticated attackers with contributor-level access and above can inject malicious scripts into pages, compromising the security of affected websites. The risk includes unauthorized data access, defacement, and potential redirection of users to malicious sites. To remediate the vulnerability, users are strongly advised to update the plugin to version 3.1.10 or later.

Advice for Users:

  • Immediate Action: Update the Page Builder Gutenberg Blocks – CoBlocks plugin to version 3.1.10 or later to mitigate the risk of exploitation.
  • Check for Signs of Vulnerability: Monitor your website for any unusual behavior, such as unexpected pop-ups or redirects, which may indicate compromise.
  • Alternate Plugins: Consider using alternative plugins that offer similar functionality as a precautionary measure until the vulnerability is patched.
  • Stay Updated: Regularly check for updates to all installed plugins to ensure protection against vulnerabilities and maintain the security of your WordPress website.

Conclusion:

The swift response from the plugin developers in releasing version 3.1.10 underscores the importance of timely updates in maintaining the security of WordPress installations. Users are urged to ensure that they are running version 3.1.10 or later to secure their WordPress installations against the vulnerability identified in CVE-2024-2933.

References:

Detailed Report: 

Introduction

In the fast-paced digital realm, where websites serve as the storefronts of the modern era, security stands as an unyielding guardian. Yet, amidst the quest for innovation and functionality, vulnerabilities often lurk beneath the surface, awaiting discovery. Today, we turn our attention to a critical vulnerability affecting the Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress.

Plugin Details

The Page Builder Gutenberg Blocks – CoBlocks, developed by GoDaddy, is a popular tool among WordPress users, boasting over 21 million downloads and 400,000 active installations. This plugin enhances website design flexibility with its array of customizable blocks and widgets.

Vulnerability Details

This vulnerability, CVE-2024-2933, allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages, exploiting insufficient input sanitization and output escaping within the Social Profiles widget.

Risks/Impacts

The implications are dire, ranging from unauthorized data access to defacement and potential redirection to malicious sites.

Remediation

To remediate the vulnerability, users are urged to promptly update the plugin to version 3.1.10 or later.

Overview of Previous Vulnerabilities

While this vulnerability has been swiftly addressed, it's essential to recognize the broader context of website security.

Conclusion

For small business owners with limited time and resources, staying on top of security vulnerabilities may seem daunting. However, proactive measures, such as regular updates and monitoring for signs of compromise, are essential to safeguarding your online presence and protecting your business from potential risks. By prioritizing security and staying informed about emerging threats, you can fortify your digital fortress and navigate the complexities of website security with confidence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

 

Page Builder Gutenberg Blocks – CoBlocks Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Social Profiles – CVE-2024-2933 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment