CVE-2024-1999 in Gutenberg Blocks Plugininfo

Summary

by MITRE • 04/10/2024

The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Widget's anchor style parameter in all versions up to, and including, 3.2.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/14/2026

The vulnerability identified as CVE-2024-1999 affects the Gutenberg Blocks by Kadence Blocks plugin, a popular WordPress page builder extension that enables users to create custom content layouts using various blocks and widgets. This particular flaw resides within the Testimonial Widget component, specifically in how it handles the anchor style parameter. The issue represents a classic stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into the plugin's configuration, which then executes whenever affected pages are viewed by other users. The vulnerability impacts all versions of the plugin up to and including version 3.2.25, making it a significant concern for WordPress sites that rely on this functionality for customer testimonials or featured content sections.

The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When administrators or contributors with appropriate privileges configure the Testimonial Widget, the anchor style parameter fails to properly validate or sanitize user-supplied input before storing it in the database. This allows malicious scripts to be permanently embedded within the plugin's configuration data. The vulnerability is classified as CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental weakness in web application security where user-provided data is not properly escaped before being rendered in web pages. The flaw specifically manifests when the stored script data is later retrieved and executed in the browser context of any user who accesses pages containing the maliciously configured widget.

The operational impact of this vulnerability is substantial as it requires only contributor-level privileges to exploit, making it particularly dangerous in environments where multiple users have editing capabilities. An attacker with access to the WordPress admin panel can inject malicious JavaScript code through the testimonial widget configuration, which will execute in the browsers of all users who view pages containing the affected widget. This creates a persistent threat that can be used for various malicious purposes including credential theft, session hijacking, defacement of content, or redirection to malicious websites. The stored nature of the vulnerability means that once exploited, the malicious code remains active until manually removed from the plugin configuration, potentially affecting numerous visitors over extended periods. This type of vulnerability aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, where attackers can use the compromised widget to deliver malicious payloads to unsuspecting users who access the affected pages.

Mitigation strategies for this vulnerability should focus on immediate patching of the plugin to version 3.2.26 or later, which contains the necessary security fixes. Administrators should also implement additional security measures such as restricting contributor-level access to plugin configuration areas and conducting regular security audits of all active plugins. The principle of least privilege should be enforced by limiting user roles to only those capabilities necessary for their specific tasks. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against script execution, though this should not be considered a replacement for proper input validation. Organizations should also consider implementing web application firewalls and monitoring systems that can detect and alert on suspicious script injection attempts. Regular security updates and patch management processes should be enforced across all WordPress installations to prevent similar vulnerabilities from being exploited in the future, as this vulnerability demonstrates the critical importance of maintaining current software versions and proper input sanitization practices in web applications.

Responsible

Wordfence

Reservation

02/28/2024

Disclosure

04/10/2024

Moderation

accepted

CPE

ready

EPSS

0.00531

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!