CVE-2024-37951

The Magical Posts Display – Elementor & Gutenberg Posts Blocks plugin for WordPress versions up to 1.2.38 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the context of other users' browsers.

Exploitation of this vulnerability requires a privileged user to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form [1]. Once triggered, the injected script executes when any visitor accesses the affected page, potentially impacting all site visitors.

Successful exploitation enables an attacker to perform actions such as redirecting users to malicious sites, displaying advertisements, or stealing sensitive information [1]. The impact is limited by the requirement for user interaction, but the stored nature of the XSS increases the potential reach.

The vulnerability has been patched in version 1.2.39 of the plugin [1]. Users are strongly advised to update immediately. If auto-updates are enabled via Patchstack, the fix can be applied automatically [1].