PT-2024-24136 · WordPress · Post Blocks+5
João Pedro Soares De Alcântara
·
Published
2024-05-21
·
Updated
2024-07-11
·
CVE-2024-3155
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress versions up to, and including, 2.2.80
Description
The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing authenticated attackers with contributor access and above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page.
Recommendations
For versions up to, and including, 2.2.80, update the plugin to a version that includes the necessary security patches to address the insufficient input sanitization and output escaping. As a temporary workaround, consider restricting contributor access and above to minimize the risk of exploitation. Monitor for patches and apply them as soon as they become available to ensure the security of the WordPress installation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Form Maker
Popup Maker
Post Blocks
Post Carousel – Combo Blocks
Post Grid
Woocommerce Blocks