CVE-2024-5595 Essential Blocks < 4.7.0 - Contributor+ Stored XSS

2024-08-0206:00:06

WPScan

github.com

wordpress

essential blocks

stored xss

contributor+ role

cross-site scripting

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

The Essential Blocks WordPress plugin before 4.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:wpdeveloper:essential_blocks:*:*:*:*:*:wordpress:*:*"
    ],
    "vendor": "wpdeveloper",
    "product": "essential_blocks",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "4.7.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

wpscan.com/vulnerability/f2b8f092-4fc0-4edc-ba0f-d4312c2e5dec/