CVE-2024-37492

The Gutenberg plugin for WordPress, up to version 18.6.0, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. An authenticated user with contributor-level privileges can inject arbitrary HTML and JavaScript into posts or blocks, which are later executed in the browsers of visitors [1]. This flaw arises because the plugin fails to sanitize or escape certain inputs before storing them in the database and later rendering them on the page.

To exploit this vulnerability, an attacker must be a logged-in WordPress user with at least the Contributor role. The attacker crafts a post or block containing malicious script code and saves it; when any user—including site administrators or regular visitors—views the compromised content, the injected script runs in their browser [1]. The vendor describes this as requiring user interaction, meaning the victim must visit the affected page for the payload to execute [1].

Successful exploitation allows the attacker to perform a range of harmful actions: redirecting visitors to malicious sites, displaying unwanted advertisements, stealing session cookies, or other client-side attacks [1]. Because the injected script runs in the context of the victim's session, an attacker could also potentially escalate privileges or perform administrative actions if the victim is a site admin.

The vulnerability has been addressed in Gutenberg version 18.6.1. Users are strongly advised to update to this patched version or enable auto-updates for the plugin [1]. Patchstack notes that while the severity is assessed as medium (CVSS 6.5), such stored XSS flaws are routinely used in mass-exploit campaigns targeting WordPress sites [1].