CVE-2024-38684

Vulnerability

Overview

The FunnelKit SlingBlocks – Gutenberg Blocks by FunnelKit (formerly WooFunnels) plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This issue affects all versions from n/a through 1.4.1.

Exploitation

Details

A privileged user role (such as a contributor or above) can inject malicious scripts into the plugin's blocks. The attack requires user interaction, where a privileged user must perform an action such as clicking a malicious link or submitting a crafted form [1]. Once stored, the injected script will execute in the browser of any visitor to the affected page.

Impact

Successful exploitation allows an attacker to inject arbitrary malicious scripts, including redirects, advertisements, or other HTML payloads, into the website [1]. These scripts execute when guests visit the site, potentially leading to data theft, defacement, or further attacks against visitors.

Mitigation

The vendor has released version 1.5.0 which resolves the vulnerability. Users are advised to update immediately [1]. For those unable to update, contacting a hosting provider or web developer is recommended. The CVSS v3 score is 6.5 (Medium), indicating a moderate severity with low exploitation likelihood according to the advisory [1].