CVE-2024-8760

Name of the Vulnerable Software and Affected Versions: The Stackable – Page Builder Gutenberg Blocks plugin for WordPress versions up to, and including, 3.13.6

Description: The issue allows unauthenticated attackers to embed untrusted style information into comments, resulting in the possibility of data exfiltration, such as admin nonces, with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, posing a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users.

Recommendations: For versions up to, and including, 3.13.6, update to a version later than 3.13.6 to resolve the issue. As a temporary workaround, consider restricting access to the comments section to minimize the risk of exploitation. Restrict access to AJAX actions and other actions reachable by lower-privileged users to protect against potential CSRF attacks.