CVE-2024-12581

Name of the Vulnerable Software and Affected Versions Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress versions up to, and including, 3.2.53

Description The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled.

Recommendations For Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress versions up to, and including, 3.2.53, consider disabling the admin settings feature until a patch is available to prevent exploitation. Restrict access to the plugin's configuration to minimize the risk of arbitrary web script injection. Additionally, enabling unfiltered html or switching to a single-site installation may mitigate the issue, but this should be done with caution and consideration of the potential impact on the website's functionality.