CVE-2024-0598

Name of the Vulnerable Software and Affected Versions The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress versions up to and including 3.2.17

Description The issue is related to Stored Cross-Site Scripting via the contact form message settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with editor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue primarily affects multi-site installations and installations where unfiltered html has been disabled.

Recommendations For versions up to and including 3.2.17, update the plugin immediately and verify all contact forms to ensure no malicious scripts have been injected. As a temporary workaround, consider restricting access to the contact form message settings to minimize the risk of exploitation.