Stackable Vulnerability – Page Builder Gutenberg Blocks – Authenticated Stored Cross-Site Scripting via Posts Block – CVE-2024-2039 |WordPress Plugin Vulnerability Report
Plugin Name: Stackable – Page Builder Gutenberg Blocks
Key Information:
- Software Type: Plugin
- Software Slug: stackable-ultimate-gutenberg-blocks
- Software Status: Active
- Software Author: bfintal
- Software Downloads: 2,943,541
- Active Installs: 100,000
- Last Updated: March 28, 2024
- Patched Versions: 3.12.12
- Affected Versions: <= 3.12.11
Vulnerability Details:
- Name: Stackable – Page Builder Gutenberg Blocks <= 3.12.11
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Block
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2039
- CVSS Score: 6.4
- Publicly Published: March 28, 2024
- Researchers: Ngô Thiên An (ancorn_), Dau Hoang Tai - VNPT-VCI
- Description: The plugin is vulnerable to Stored Cross-Site Scripting through the Post(v2) block title tag due to inadequate input sanitization and output escaping, allowing attackers with contributor access to inject malicious scripts.
Summary:
The Stackable – Page Builder Gutenberg Blocks plugin, a widely-used tool for adding advanced functionalities to Gutenberg, has a critical vulnerability in versions up to 3.12.11. This flaw, identified as CVE-2024-2039, arises from insufficient input sanitization and output escaping within the Post(v2) block title tag, permitting authenticated users with contributor-level permissions or higher to perform Stored Cross-Site Scripting attacks. The vulnerability has been addressed in the updated version 3.12.12.
Detailed Overview:
This vulnerability was uncovered by security researchers Ngô Thiên An and Dau Hoang Tai, shedding light on a significant security gap within a plugin installed on over 100,000 WordPress sites. The nature of Stored Cross-Site Scripting allows malicious scripts injected by attackers to persist within the affected sites, posing risks to site integrity and user data whenever the compromised content is accessed. Prompt action was taken by the plugin developers to release a patch, reinforcing the necessity of quick response in the face of such vulnerabilities.
Advice for Users:
- Immediate Action: Users are urged to update their Stackable plugin to version 3.12.12 immediately to mitigate the risks associated with CVE-2024-2039.
- Check for Signs of Vulnerability: Website administrators should review their sites for unusual content or behavior, especially within posts created or edited using the affected versions of the plugin.
- Alternate Plugins: While the vulnerability has been patched, users may explore alternative Gutenberg block plugins as a precautionary measure.
- Stay Updated: It's imperative to regularly update all WordPress plugins to their latest versions to protect against known vulnerabilities and maintain site security.
Conclusion:
The resolution of CVE-2024-2039 in the Stackable – Page Builder Gutenberg Blocks plugin highlights the critical role of ongoing vigilance and timely updates in the WordPress ecosystem. By proactively maintaining the currency of their site's plugins, WordPress administrators can significantly reduce the risk of security breaches, ensuring the safety and reliability of their online presence.
References:
- Wordfence Vulnerability Report for Stackable
- Additional Wordfence Report on Stackable Vulnerabilities