CVE-2024-2919 in Gutenberg Blocks Plugin
Summary
by MITRE • 04/04/2024
The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CountUp Widget in all versions up to, and including, 3.2.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/14/2026
The vulnerability identified as CVE-2024-2919 affects the Gutenberg Blocks by Kadence Blocks plugin for WordPress, specifically targeting the CountUp Widget functionality within versions up to and including 3.2.31. This represents a critical security flaw that enables attackers to execute malicious scripts through stored cross-site scripting techniques, posing significant risks to WordPress installations that utilize this plugin. The vulnerability exists due to inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the plugin's codebase.
The technical flaw manifests in the plugin's handling of user input within the CountUp Widget component where attacker-controlled data is not adequately sanitized before being stored in the WordPress database. When authenticated users with contributor-level access or higher create or modify content using this widget, they can inject malicious JavaScript code into attributes that are subsequently stored and executed whenever other users access pages containing the compromised content. This stored XSS vulnerability operates through the standard WordPress plugin architecture where user-generated content is processed and rendered without proper security controls to prevent malicious script execution. The vulnerability directly maps to CWE-79 - Cross-Site Scripting and aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as it enables attackers to deliver malicious payloads through legitimate plugin interfaces.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with persistent access to compromised WordPress installations through the authenticated user accounts. Contributors and above can leverage this vulnerability to inject scripts that could steal session cookies, redirect users to malicious sites, or perform actions on behalf of legitimate users. The stored nature of the vulnerability means that even after the initial attack vector is closed, the malicious scripts continue to execute whenever affected pages are accessed, providing attackers with prolonged access to compromised systems. This vulnerability particularly affects WordPress sites that rely heavily on user-generated content or collaborative editing features where multiple users with contributor privileges may interact with the plugin's interface.
Mitigation strategies for CVE-2024-2919 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should implement role-based access controls to limit contributor privileges and reduce the attack surface where possible. Additionally, administrators should consider implementing content security policies and monitoring for suspicious script injections in WordPress content. Regular security audits of installed plugins and themes should be conducted to identify similar vulnerabilities, with particular attention to plugins that handle user input through visual editors or widget interfaces. The vulnerability highlights the importance of proper input validation and output escaping practices as outlined in OWASP Top Ten and should be addressed through comprehensive security testing of all user-facing plugin components that process external data inputs.