CVE-2024-9601 in Qubely Plugininfo

Summary

by MITRE • 02/14/2025

The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/14/2025

The vulnerability identified as CVE-2024-9601 affects the Qubely – Advanced Gutenberg Blocks plugin for WordPress, representing a critical stored cross-site scripting weakness that undermines web application security. This flaw exists in all plugin versions up to and including 1.8.12, making it a persistent threat across multiple releases. The vulnerability specifically targets the 'align' and 'UniqueID' parameters within the plugin's functionality, creating an attack vector that can be exploited by malicious actors with relatively low privileges.

The technical root cause stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase. When authenticated users with Contributor-level access or higher submit content containing malicious scripts through these parameters, the plugin fails to properly validate or escape the input before storing it in the database. This stored data then executes whenever any user accesses the affected pages, creating a persistent threat that can compromise multiple users over time. The vulnerability aligns with CWE-79, which describes improper neutralization of input during web page generation, specifically focusing on cross-site scripting attacks.

The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. Since the attack requires only Contributor-level access, it represents a significant risk to WordPress installations where multiple users have varying permission levels. The stored nature of the vulnerability means that once exploited, the malicious scripts remain active until manually removed from the database, potentially affecting numerous site visitors over extended periods.

Attackers leveraging this vulnerability can craft malicious content that appears legitimate within the WordPress interface, making detection more challenging for administrators. The exploitation process involves creating or modifying posts and pages containing crafted payloads in the vulnerable parameters, which then execute in the browsers of unsuspecting users who view these pages. This attack pattern corresponds to techniques described in the ATT&CK framework under web application attacks, specifically targeting the execution of malicious code through content management systems. Organizations should prioritize immediate remediation by updating to patched versions of the plugin, implementing additional input validation measures, and monitoring for suspicious user activity that might indicate exploitation attempts.

Responsible

Wordfence

Reservation

10/07/2024

Disclosure

02/14/2025

Moderation

accepted

CPE

ready

EPSS

0.00300

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!