CVE-2024-4057 in Gutenberg Blocks Plugin
Summary
by MITRE • 06/04/2024
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.37 does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/30/2025
The vulnerability identified as CVE-2024-4057 affects the Gutenberg Blocks with AI by Kadence WP WordPress plugin version 3.2.36 and earlier. This security flaw resides in the plugin's handling of block attributes within the WordPress Gutenberg editor environment. The issue stems from insufficient input validation and output escaping mechanisms that fail to properly sanitize user-supplied data before rendering it within web pages. Attackers exploiting this vulnerability can inject malicious scripts that persist in the content and execute when other users view the affected pages or posts.
The technical implementation of this vulnerability involves the plugin's failure to adequately sanitize block attributes when they are processed and rendered in the frontend. When contributors and users with higher privileges create or modify content blocks, the plugin stores user input without proper validation. This creates a stored cross-site scripting vector where malicious scripts can be embedded in block attributes and subsequently executed in the browsers of other users who access the affected content. The vulnerability specifically targets the plugin's handling of attributes that are directly output to HTML contexts without appropriate sanitization.
From an operational perspective, this vulnerability presents a significant risk to WordPress sites using the affected plugin. The contributor role and above can leverage this flaw to inject malicious JavaScript code that could perform various harmful actions including stealing user sessions, defacing websites, redirecting visitors to malicious sites, or executing additional attacks through the compromised user contexts. The stored nature of the XSS means that the malicious code persists even after the initial injection, making it particularly dangerous for sites where multiple users contribute content. The impact extends beyond individual posts to potentially affect entire site reputations and user trust.
Security mitigation for this vulnerability requires immediate patching to version 3.2.37 or later of the Gutenberg Blocks with AI by Kadence WP plugin. Administrators should also implement additional defensive measures such as monitoring for unusual content modifications and conducting regular security audits of user-generated content. The vulnerability aligns with CWE-79 which describes Cross-Site Scripting flaws, and represents a specific implementation issue that could be categorized under ATT&CK technique T1566.3 for "Phishing with Social Engineering" or T1059.007 for "Command and Scripting Interpreter: JavaScript" when malicious scripts execute. Organizations should also consider implementing Content Security Policies to limit the impact of potential XSS attacks and regularly review plugin security updates to maintain comprehensive defense in depth.