WordPress Gutenberg Editor Vulnerability Let Attackers Inject Malicious Scripts
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A newly disclosed vulnerability in the Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress has raised concerns among website administrators and developers.
The flaw, identified as CVE-2024-10178 , allows attackers with contributor-level access or higher to inject malicious scripts into web pages through the plugin’s Countdown widget.
While this vulnerability affects all versions of the plugin up to and including 3.3.9 .
The issue stems from insufficient input sanitization and output escaping on user-supplied attributes within the Countdown widget.
This improper handling enables attackers to execute Stored Cross-Site Scripting (XSS) attacks. Once a malicious script is injected, it executes whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other harmful actions.
Researchers at Wordfence identified that the vulnerability is classified as medium severity with a CVSS score of 6.4 , reflecting its potential impact and ease of exploitation.
Notably, the attack requires no user interaction beyond accessing an affected page, making it particularly concerning for administrators managing multi-user WordPress sites.
Flaw Profile
.webp)
Flaw profile (Source – Wordfence)
The vulnerability was publicly disclosed on December 4, 2024 , and a patch has been released in version 3.4.0 of the plugin. Website administrators are strongly advised to:-
Stored XSS vulnerabilities like this one highlight the importance of secure coding practices, particularly around input validation and output escaping.
Plugins with widespread use (like Gutentor, which is part of the Gutenberg ecosystem) pose significant risks when vulnerabilities are exploited.
The vulnerability was discovered by security researcher Webbernaut and has been documented in multiple security databases.
Administrators are encouraged to stay informed about plugin vulnerabilities through trusted sources and act promptly when updates are released.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
WordPress Gutenberg Editor Vulnerability Let Attackers Inject Malicious Scripts
Author: Tushar Subhra DuttaA newly disclosed vulnerability in the Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress has raised concerns among website administrators and developers.
The flaw, identified as CVE-2024-10178 , allows attackers with contributor-level access or higher to inject malicious scripts into web pages through the plugin’s Countdown widget.
While this vulnerability affects all versions of the plugin up to and including 3.3.9 .
The issue stems from insufficient input sanitization and output escaping on user-supplied attributes within the Countdown widget.
This improper handling enables attackers to execute Stored Cross-Site Scripting (XSS) attacks. Once a malicious script is injected, it executes whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other harmful actions.
Researchers at Wordfence identified that the vulnerability is classified as medium severity with a CVSS score of 6.4 , reflecting its potential impact and ease of exploitation.
Notably, the attack requires no user interaction beyond accessing an affected page, making it particularly concerning for administrators managing multi-user WordPress sites.
Flaw Profile
Flaw profile (Source – Wordfence)The vulnerability was publicly disclosed on December 4, 2024 , and a patch has been released in version 3.4.0 of the plugin. Website administrators are strongly advised to:-
- Update the Gutentor plugin immediately to version 3.4.0 or later.
- Review user roles and permissions to minimize risks associated with contributor-level access.
- Implement additional security measures such as web application firewalls (WAF) to monitor and block malicious activity.
Stored XSS vulnerabilities like this one highlight the importance of secure coding practices, particularly around input validation and output escaping.
Plugins with widespread use (like Gutentor, which is part of the Gutenberg ecosystem) pose significant risks when vulnerabilities are exploited.
The vulnerability was discovered by security researcher Webbernaut and has been documented in multiple security databases.
Administrators are encouraged to stay informed about plugin vulnerabilities through trusted sources and act promptly when updates are released.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
