Blocksy <= 2.0.77 - Authenticated (Contributor+) Stored Cross-Site Scripting

Vulnerability

The Blocksy theme for WordPress, in all versions up to and including 2.0.77, is vulnerable to Stored Cross-Site Scripting (XSS) via the Contact Info Block link parameter. The vulnerability arises from insufficient input sanitization and output escaping in the inc/components/contacts-box.php file, allowing authenticated users to inject arbitrary web scripts into the link field [1].

Exploitation

An attacker must have at least Contributor-level access to the WordPress site. By crafting a malicious payload in the Contact Info Block's link parameter, the attacker can inject arbitrary JavaScript or HTML. When any user (including administrators) visits a page containing the injected block, the script executes in the context of the victim's browser [1].

Impact

Successful exploitation results in Stored XSS, enabling the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, defacing pages, or performing actions on behalf of the victim. The attack can affect all users who view the compromised page, potentially leading to full site compromise if an administrator's session is hijacked [1].

Mitigation

The vulnerability is fixed in version 2.0.78 of the Blocksy theme, as shown in the official changeset [1]. Users should update to version 2.0.78 or later (the latest version as of the reference is 2.1.42 [2]). No workaround is available; updating is the recommended action.