Page Builder Gutenberg Blocks Vulnerability – CoBlocks – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1049 | WordPress Plugin Vulnerability Report

Plugin Name: Page Builder Gutenberg Blocks – CoBlocks

Key Information:

  • Software Type: Plugin
  • Software Slug: coblocks
  • Software Status: Active
  • Software Author: GoDaddy
  • Software Downloads: 19,886,964
  • Active Installs: 400,000
  • Last Updated: March 22, 2024
  • Patched Versions: 3.1.7
  • Affected Versions: <= 3.1.6

Vulnerability Details:

  • Name: Page Builder Gutenberg Blocks – CoBlocks <= 3.1.6
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1049
  • CVSS Score: 6.4
  • Publicly Published: March 22, 2024
  • Researcher: Webbernaut
  • Description: The CoBlocks plugin for WordPress, known for enhancing Gutenberg block capabilities, contains a vulnerability in its Icon Widget. Insufficient input sanitization and output escaping on link values up to version 3.1.6 allow authenticated users with contributor-level access or higher to perform stored cross-site scripting (XSS) attacks. This can lead to the injection of arbitrary web scripts that are executed when a user visits a compromised page.


CoBlocks, a popular plugin designed to extend the functionality of Gutenberg blocks within WordPress, has been identified to contain a stored XSS vulnerability in its Icon Widget feature in versions up to and including 3.1.6. This vulnerability, which arises from inadequate input sanitization and output escaping mechanisms, poses a risk as it enables malicious script injections. The issue has been rectified in the recent patch, version 3.1.7.

Detailed Overview:

The security flaw, uncovered by the researcher Webbernaut, puts websites at risk by allowing attackers with sufficient permissions to embed harmful scripts within the Icon Widget's link value. Such scripts can be executed unwittingly by any user visiting the affected page, potentially leading to unauthorized access and other security breaches. This vulnerability highlights the critical need for rigorous input validation and output encoding in plugin development to prevent XSS attacks.

Advice for Users:

  • Immediate Action: Users of the CoBlocks plugin should immediately update to version 3.1.7 to address this vulnerability and safeguard their websites against potential exploits.
  • Check for Signs of Vulnerability: Website administrators are encouraged to inspect their sites for unusual content or behavior, particularly in areas utilizing the CoBlocks Icon Widget.
  • Alternate Plugins: While the patched version is deemed secure, users may explore alternative Gutenberg block plugins that offer similar functionalities, ensuring they maintain a robust security posture.
  • Stay Updated: Consistently keeping all WordPress plugins and themes updated to their latest versions is crucial in protecting against known vulnerabilities and enhancing overall site security.


The swift action taken by the CoBlocks development team to release a patch for this vulnerability underscores the importance of continuous monitoring and timely updates in the digital landscape. Users are advised to promptly update their CoBlocks plugin to version 3.1.7 or newer to mitigate the risks associated with CVE-2024-1049 and ensure the security of their WordPress installations.


Detailed Report: 

In today's digital ecosystem, WordPress stands as a cornerstone for many websites, offering versatility through an extensive range of plugins. Among these, Page Builder Gutenberg Blocks – CoBlocks by GoDaddy enhances the Gutenberg editor with advanced layout options. However, the discovery of a vulnerability within CoBlocks, designated as CVE-2024-1049, casts a spotlight on the critical importance of maintaining plugin security. This vulnerability underscores a vital lesson for all website owners: the necessity of vigilance and regular updates to safeguard online platforms.

Plugin Overview:

Page Builder Gutenberg Blocks – CoBlocks, a plugin designed to extend the capabilities of the Gutenberg editor in WordPress, is widely used for its intuitive page-building features. With over 19 million downloads and 400,000 active installations, its impact is significant. The plugin is actively maintained by GoDaddy, with the latest update released on March 22, 2024.

Vulnerability Details:

CVE-2024-1049 highlights an Authenticated Stored Cross-Site Scripting (XSS) issue within the CoBlocks Icon Widget. The vulnerability arises from inadequate input sanitization and output escaping for link values, allowing users with contributor-level access to inject malicious scripts. This flaw, identified in versions up to 3.1.6, was publicly disclosed on March 22, 2024, by the researcher Webbernaut.

Risks and Impacts:

The exploitation of this vulnerability can lead to severe consequences, including unauthorized access, data breaches, and the potential for attackers to gain control of affected websites. The nature of stored XSS means that malicious scripts could be executed by unsuspecting users, compounding the risk and scope of potential damage.

Remediation Steps:

In response to the vulnerability, GoDaddy promptly released version 3.1.7 of CoBlocks, which addresses the security issue. Website owners and administrators using CoBlocks are urged to update to this patched version immediately. Additionally, users should conduct thorough reviews of their sites for any unusual content or behavior, especially in areas where the Icon Widget has been used.

Historical Context:

While CVE-2024-1049 is the current concern, it's not the first vulnerability discovered in CoBlocks. Acknowledging and understanding the plugin's security history is crucial for users, emphasizing the importance of staying informed about potential vulnerabilities.


The swift resolution of CVE-2024-1049 by GoDaddy serves as a testament to the WordPress community's dedication to security. For small business owners and other WordPress users, this incident is a compelling reminder of the importance of regular plugin updates and cybersecurity vigilance. In the fast-paced digital world, the security of your website is paramount, not just for the protection of your data but also for maintaining the trust of your visitors. Ensuring that your WordPress plugins, like CoBlocks, are always up-to-date is a crucial step in safeguarding your online presence against ever-evolving threats.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Page Builder Gutenberg Blocks Vulnerability – CoBlocks – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1049 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment