WordPress Plugin Vulnerability Report – VK Blocks – Authenticated (Contributor+) Stored Cross-Site Scripting via Block – CVE-2023-5706

Plugin Name: VK Blocks

Key Information:

  • Software Type: Plugin
  • Software Slug: vk-blocks
  • Software Status: Active
  • Software Author: vektor-inc
  • Software Downloads: 2,017,789
  • Active Installs: 80,000
  • Last Updated: October 24, 2023
  • Patched Versions: 1.64.0.0
  • Affected Versions: <= 1.63.0.1

Vulnerability Details:

  • Name: VK Blocks <= 1.63.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Block
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2023-5706
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: October 24, 2023
  • Researcher: Lana Codes
  • Description: The VK Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk-blocks/ancestor-page-list' block in all versions up to, and including, 1.63.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The VK Blocks for WordPress has a vulnerability in versions up to and including 1.63.0.1 that allows authenticated users with contributor access or higher to inject malicious scripts into pages. This vulnerability has been patched in version 1.64.0.0.

Detailed Overview:

VK Blocks versions up to and including 1.63.0.1 contain an improper input sanitization vulnerability in the 'vk-blocks/ancestor-page-list' block that could enable authenticated users with contributor access or higher to store malicious scripts on pages that would execute whenever a user views the page. This stored cross-site scripting vulnerability, assigned CVE-2023-5706 and a CVSS v3.1 score of 6.4 (Medium severity), was publicly disclosed on October 24, 2023 by researcher Lana Codes. All users are strongly recommended to update to version 1.64.0.0 or higher as soon as possible to mitigate this vulnerability. Failing to apply the update leaves WordPress sites open to stored XSS attacks and potential compromise by authenticated users.

Advice for Users:

  1. Immediate Action: Update to version 1.64.0.0 or higher as soon as possible.
  2. Check for Signs of Vulnerability: Review page content for unauthorized scripts.
  3. Alternate Plugins: Consider alternate page builder plugins like Elementor as a precaution.
  4. Stay Updated: Always keep plugins updated to avoid vulnerabilities.

Conclusion:

The timely patch released by VK Blocks addresses this vulnerability and underlines the importance of keeping plugins updated. Users should install version 1.64.0.0 or later immediately to protect their sites.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/vk-blocks

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/vk-blocks/vk-blocks-16301-authenticated-contributor-stored-cross-site-scripting-via-block

Detailed Report:

Keeping your WordPress website secure requires constant vigilance - new vulnerabilities are discovered regularly that can put your site at risk if you don't stay on top of updates. One such vulnerability was recently disclosed that impacts users of the popular VK Blocks plugin.

In versions up to and including 1.63.0.1, VK Blocks contains a vulnerability that would allow authenticated users with contributor access or higher to inject malicious scripts into your pages. Left unpatched, this vulnerability opens the door for serious compromise of your WordPress site.

While the developers have released version 1.64.0.0 to address this stored cross-site scripting flaw, failing to update leaves your site susceptible. We strongly advise all VK Blocks users to update immediately to protect their websites.

If you need help updating or checking whether your site has been compromised, don't hesitate to contact us. Our team of WordPress experts can assist with updates, security scans, and any other steps needed to lock down vulnerabilities and keep your site safe. The security of your website is incredibly important, so we're here to help!

Let's take a closer look at the details:

VK Blocks is a popular WordPress plugin with over 2 million downloads and 80,000 active installs. It offers various blocks and templates to build pages. The plugin is actively maintained by developer Vektor, Inc. and was last updated on October 24th, 2023.

Researcher Lana Codes disclosed a vulnerability impacting VK Blocks versions up to and including 1.63.0.1. The vulnerability allows authenticated users with contributor-level access or higher to inject arbitrary scripts into pages that will execute when other users view those pages.

This is possible due to insufficient sanitization of user input in the 'vk-blocks/ancestor-page-list' block. The vulnerability has been assigned CVE identifier CVE-2023-5706 and a CVSS severity score of 6.4 (Medium).

If exploited, this vulnerability allows malicious authorized users to potentially steal session cookies, take over admin accounts, or extract sensitive information from other authenticated users. It can lead to full site takeover in the hands of a motivated attacker.

To mitigate this vulnerability, users should update to VK Blocks version 1.64.0.0 or higher, which properly sanitizes input to prevent stored XSS. Users should also review page content for any unauthorized scripts that may have been injected. If your site has been compromised, take it offline until you can fully remove any malicious code or users added by attackers.

This is the 5th vulnerability found in VK Blocks since May 2023, underlining the importance of prompt updates for WordPress site security. Plugin vulnerabilities are common attack vectors and keeping them updated is crucial.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

WordPress Plugin Vulnerability Report – VK Blocks – Authenticated (Contributor+) Stored Cross-Site Scripting via Block – CVE-2023-5706 FAQs

Leave a Comment