CVE-2024-35169

Overview

CVE-2024-35169 is a Cross-site Scripting (XSS) vulnerability in the All Bootstrap Blocks plugin for WordPress, affecting versions from n/a through 1.3.15 [1][2]. The issue stems from improper neutralization of user input during web page generation, enabling attackers to inject arbitrary HTML and JavaScript into the admin pages of the plugin.

Exploitation

Exploitation requires a privileged user (e.g., administrator) to perform an action such as clicking a malicious link or visiting a crafted page [1][2]. The attacker must have a role with the necessary privileges to trigger the vulnerability. Once triggered, the injected script executes in the context of the admin's session.

Impact

A successful attack could allow an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads, that execute when other users visit the affected site [1][2]. This could lead to defacement, data theft, or further compromise.

Mitigation

The vulnerability is fixed in version 1.3.16 of the All Bootstrap Blocks plugin. Users are strongly advised to update immediately [1][2]. Patchstack users can enable auto-updates for vulnerable plugins.