Stackable Vulnerability – Page Builder Gutenberg Blocks – Authenticated Stored Cross-Site Scripting via Posts Block – CVE-2024-2039 |WordPress Plugin Vulnerability Report

Plugin Name: Stackable – Page Builder Gutenberg Blocks

Key Information:

  • Software Type: Plugin
  • Software Slug: stackable-ultimate-gutenberg-blocks
  • Software Status: Active
  • Software Author: bfintal
  • Software Downloads: 2,943,541
  • Active Installs: 100,000
  • Last Updated: March 28, 2024
  • Patched Versions: 3.12.12
  • Affected Versions: <= 3.12.11

Vulnerability Details:

  • Name: Stackable – Page Builder Gutenberg Blocks <= 3.12.11
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Block
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2039
  • CVSS Score: 6.4
  • Publicly Published: March 28, 2024
  • Researchers: Ngô Thiên An (ancorn_), Dau Hoang Tai - VNPT-VCI
  • Description: The plugin is vulnerable to Stored Cross-Site Scripting through the Post(v2) block title tag due to inadequate input sanitization and output escaping, allowing attackers with contributor access to inject malicious scripts.


The Stackable – Page Builder Gutenberg Blocks plugin, a widely-used tool for adding advanced functionalities to Gutenberg, has a critical vulnerability in versions up to 3.12.11. This flaw, identified as CVE-2024-2039, arises from insufficient input sanitization and output escaping within the Post(v2) block title tag, permitting authenticated users with contributor-level permissions or higher to perform Stored Cross-Site Scripting attacks. The vulnerability has been addressed in the updated version 3.12.12.

Detailed Overview:

This vulnerability was uncovered by security researchers Ngô Thiên An and Dau Hoang Tai, shedding light on a significant security gap within a plugin installed on over 100,000 WordPress sites. The nature of Stored Cross-Site Scripting allows malicious scripts injected by attackers to persist within the affected sites, posing risks to site integrity and user data whenever the compromised content is accessed. Prompt action was taken by the plugin developers to release a patch, reinforcing the necessity of quick response in the face of such vulnerabilities.

Advice for Users:

  • Immediate Action: Users are urged to update their Stackable plugin to version 3.12.12 immediately to mitigate the risks associated with CVE-2024-2039.
  • Check for Signs of Vulnerability: Website administrators should review their sites for unusual content or behavior, especially within posts created or edited using the affected versions of the plugin.
  • Alternate Plugins: While the vulnerability has been patched, users may explore alternative Gutenberg block plugins as a precautionary measure.
  • Stay Updated: It's imperative to regularly update all WordPress plugins to their latest versions to protect against known vulnerabilities and maintain site security.


The resolution of CVE-2024-2039 in the Stackable – Page Builder Gutenberg Blocks plugin highlights the critical role of ongoing vigilance and timely updates in the WordPress ecosystem. By proactively maintaining the currency of their site's plugins, WordPress administrators can significantly reduce the risk of security breaches, ensuring the safety and reliability of their online presence.


Detailed Report: 

In the digital tapestry that forms the backbone of modern businesses, WordPress stands out as a platform of choice for its flexibility and the vast array of plugins it supports. Among these, the Stackable – Page Builder Gutenberg Blocks plugin has carved its niche, enabling users to extend the capabilities of the Gutenberg editor with advanced blocks and sophisticated design options. However, the discovery of a significant vulnerability, CVE-2024-2039, in this critical tool highlights an immutable truth of the digital age: vigilance and proactive maintenance are non-negotiable pillars of website security.

Plugin Overview: Stackable – Page Builder Gutenberg Blocks

Developed by bfintal, Stackable is a cornerstone for over 100,000 WordPress sites, lauded for its ability to enrich content creation with an array of customizable blocks. Despite its popularity and the developer's commitment to innovation, evidenced by over 2.9 million downloads, the plugin was not immune to security pitfalls. In versions up to and including 3.12.11, a loophole was identified that compromised the security of countless websites.

Unveiling the Vulnerability: CVE-2024-2039

CVE-2024-2039 exposes a Stored Cross-Site Scripting (XSS) vulnerability through the Post(v2) block title tag, stemming from insufficient input sanitization and output escaping. This flaw allowed attackers with contributor-level access to inject malicious scripts, posing a direct threat to site integrity and user data. Discovered by researchers Ngô Thiên An and Dau Hoang Tai, this vulnerability served as a stark reminder of the latent risks in even the most trusted software components.

Potential Impacts and Risks

The implications of CVE-2024-2039 extend beyond mere technical glitches, threatening the very foundation of trust and security that users expect from their digital platforms. Malicious scripts injected through this vulnerability could lead to unauthorized data access, privacy breaches, and a tarnished website reputation, undermining user confidence and potentially leading to significant business repercussions.

Remediation and Proactive Steps

In response to this discovery, the developers swiftly released version 3.12.12, addressing the vulnerability and fortifying the plugin against similar threats. For users, the immediate course of action involves updating to this patched version, coupled with a thorough review of site activity and user roles to preempt any exploitation of the vulnerability. Additionally, considering alternative plugins and maintaining a routine of regular updates are prudent measures to enhance site security.

Navigating Past Vulnerabilities

This incident was not Stackable's first encounter with security challenges; with two previous vulnerabilities reported since March 4, 2022, the plugin's history underscores the ongoing battle between innovation and security. Each vulnerability serves as a learning curve, informing better practices and stronger defenses, contributing to the continuous improvement of the digital ecosystem.

The Imperative of Digital Vigilance

For small business owners, the incident reiterates the critical importance of staying abreast of security updates and vulnerabilities. In an era where your digital presence is inextricably linked to your business identity, the security of your WordPress site transcends technical responsibility—it's a fundamental aspect of your business's integrity and trustworthiness. Adopting a proactive stance towards website maintenance, prioritizing regular updates, and staying informed about potential vulnerabilities are essential strategies to safeguard your digital frontier in an ever-evolving cyber landscape.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Stackable Vulnerability – Page Builder Gutenberg Blocks – Authenticated Stored Cross-Site Scripting via Posts Block – CVE-2024-2039 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment