CVE-2024-1767 in Blocksy Plugininfo

Summary

by MITRE • 03/09/2024

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes like 'className' and 'radius'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/12/2026

The Blocksy WordPress theme presents a critical stored cross-site scripting vulnerability identified as CVE-2024-1767, affecting all versions through 2.0.26. This vulnerability resides within the theme's block implementation system where user-supplied attributes fail to undergo proper sanitization and escaping processes. The flaw specifically impacts the 'className' and 'radius' attributes which are processed without adequate validation mechanisms, creating an attack vector that can be exploited by malicious actors with contributor-level privileges or higher. The vulnerability operates as a stored XSS because malicious scripts are permanently stored within the theme's block processing system and executed whenever affected pages are accessed by any user, regardless of their permission level.

The technical exploitation of this vulnerability follows established patterns described in CWE-79, which categorizes cross-site scripting flaws as weaknesses in input validation and output escaping. Attackers can leverage this vulnerability by crafting malicious scripts within the block attributes and saving them through the WordPress admin interface, where the theme processes these inputs without proper sanitization. The stored nature of this vulnerability means that the malicious code persists in the database and executes automatically when users view pages containing the compromised blocks, making it particularly dangerous for content management systems where multiple users may have varying permission levels. The vulnerability demonstrates a failure in the principle of least privilege and proper input validation as defined in cybersecurity best practices.

The operational impact of CVE-2024-1767 extends beyond simple script execution, as it allows attackers to potentially hijack user sessions, steal sensitive information, or redirect users to malicious sites. Since contributors and above can exploit this vulnerability, it poses a significant risk to WordPress installations where content creators or editors have elevated privileges. The attack surface includes any page that utilizes the affected blocks, potentially compromising entire websites if administrators fail to update their themes promptly. This vulnerability also aligns with ATT&CK technique T1566, which describes the use of malicious content to gain initial access or execute malicious code within target environments. The persistence of stored XSS attacks makes this particularly dangerous for organizations relying on WordPress for content management.

Mitigation strategies for CVE-2024-1767 require immediate action including updating to the patched version of the Blocksy theme, which should implement proper input sanitization and output escaping for all user-supplied attributes. Organizations should also implement additional security measures such as role-based access controls to limit contributor privileges, regular security audits of installed themes and plugins, and monitoring for suspicious activity in the WordPress admin interface. The vulnerability highlights the importance of implementing defense-in-depth strategies and proper input validation as outlined in OWASP Top Ten security principles, specifically addressing the need for proper sanitization of all user inputs before they are processed or stored within web applications. Regular security assessments and patch management procedures should be enforced to prevent similar vulnerabilities from being exploited in other components of the WordPress ecosystem.

Responsible

Wordfence

Reservation

02/22/2024

Disclosure

03/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00320

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!