CSS Injection Vulnerability in Page Builder Gutenberg Blocks Plugin
CVE-2024-8760

5.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Stackable – Page Builder Gutenberg Blocks
Vendor: CVE Published:; 12 October 2024

Summary

The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users.

Affected Version(s)

Stackable – Page Builder Gutenberg Blocks * <= 3.13.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 12, 2024
Vulnerability Reserved
Sep 12, 2024

Credit

Francesco Carlucci