A newly disclosed vulnerability in the Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress has raised concerns among website administrators and developers.
The flaw, identified as CVE-2024-10178, allows attackers with contributor-level access or higher to inject malicious scripts into web pages through the plugin’s Countdown widget.
While this vulnerability affects all versions of the plugin up to and including 3.3.9.
The issue stems from insufficient input sanitization and output escaping on user-supplied attributes within the Countdown widget.
This improper handling enables attackers to execute Stored Cross-Site Scripting (XSS) attacks. Once a malicious script is injected, it executes whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other harmful actions.
Researchers at Wordfence identified that the vulnerability is classified as medium severity with a CVSS score of 6.4, reflecting its potential impact and ease of exploitation.
Notably, the attack requires no user interaction beyond accessing an affected page, making it particularly concerning for administrators managing multi-user WordPress sites.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
Flaw Profile
.webp)
The vulnerability was publicly disclosed on December 4, 2024, and a patch has been released in version 3.4.0 of the plugin. Website administrators are strongly advised to:-
- Update the Gutentor plugin immediately to version 3.4.0 or later.
- Review user roles and permissions to minimize risks associated with contributor-level access.
- Implement additional security measures such as web application firewalls (WAF) to monitor and block malicious activity.
Stored XSS vulnerabilities like this one highlight the importance of secure coding practices, particularly around input validation and output escaping.
Plugins with widespread use (like Gutentor, which is part of the Gutenberg ecosystem) pose significant risks when vulnerabilities are exploited.
The vulnerability was discovered by security researcher Webbernaut and has been documented in multiple security databases.
Administrators are encouraged to stay informed about plugin vulnerabilities through trusted sources and act promptly when updates are released.
By addressing this issue swiftly, WordPress site owners can protect their websites from potential exploitation and maintain user trust in their platforms.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses