CVE-2024-6884 Gutenberg Blocks with AI by Kadence WP < 3.2.39 - Contributor+ Stored XSS

2024-08-0806:00:04

WPScan

github.com

cve-2024-6884

wordpress plugin

stored cross-site scripting

AI Score

5.9

Confidence

High

EPSS

Percentile

9.5%

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.39 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Gutenberg Blocks with AI by Kadence WP",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "3.2.39",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:kadencewp:gutenberg_blocks_with_ai:*:*:*:*:*:*:*:*"
    ],
    "vendor": "kadencewp",
    "product": "gutenberg_blocks_with_ai",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "3.2.39",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]