Page Builder Gutenberg Blocks – CoBlocks Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Social Profiles – CVE-2024-2933 | WordPress Plugin Vulnerability Report
Plugin Name: Page Builder Gutenberg Blocks – CoBlocks
Key Information:
- Software Type: Plugin
- Software Slug: coblocks
- Software Status: Active
- Software Author: GoDaddy
- Software Downloads: 21,200,695
- Active Installs: 400,000
- Last Updated: June 12, 2024
- Patched Versions: 3.1.10
- Affected Versions: <= 3.1.9
Vulnerability Details:
- Name: Page Builder Gutenberg Blocks – CoBlocks <= 3.1.9
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Social Profiles
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2933
- CVSS Score: 6.4
- Publicly Published: May 31, 2024
- Researcher: Wesley
- Description: The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Social Profiles widget in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page.
Summary:
The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress has a vulnerability in versions up to and including 3.1.9 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the Social Profiles widget. This vulnerability has been patched in version 3.1.10.
Detailed Overview:
The vulnerability lies in the Social Profiles widget of the CoBlocks plugin, where insufficient input sanitization and output escaping on user-supplied attributes create a loophole for attackers. By exploiting this vulnerability, authenticated attackers with contributor-level access and above can inject malicious scripts into pages, compromising the security of affected websites. The risk includes unauthorized data access, defacement, and potential redirection of users to malicious sites. To remediate the vulnerability, users are strongly advised to update the plugin to version 3.1.10 or later.
Advice for Users:
- Immediate Action: Update the Page Builder Gutenberg Blocks – CoBlocks plugin to version 3.1.10 or later to mitigate the risk of exploitation.
- Check for Signs of Vulnerability: Monitor your website for any unusual behavior, such as unexpected pop-ups or redirects, which may indicate compromise.
- Alternate Plugins: Consider using alternative plugins that offer similar functionality as a precautionary measure until the vulnerability is patched.
- Stay Updated: Regularly check for updates to all installed plugins to ensure protection against vulnerabilities and maintain the security of your WordPress website.
Conclusion:
The swift response from the plugin developers in releasing version 3.1.10 underscores the importance of timely updates in maintaining the security of WordPress installations. Users are urged to ensure that they are running version 3.1.10 or later to secure their WordPress installations against the vulnerability identified in CVE-2024-2933.
References:
Detailed Report:
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.