CVE-2024-43349

Vulnerability

Analysis

The All Bootstrap Blocks plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.3.19. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker with sufficient privileges to inject arbitrary HTML and JavaScript into the plugin's output [1].

Exploitation

Details

Exploitation requires a user with at least contributor or author-level access (the plugin's required privilege level) to inject malicious payloads through normally editable content fields. Interaction from a higher-privileged user (e.g., admin) is then needed to trigger the stored payload, such as clicking a link or viewing the compromised page. The vulnerability can be initiated without authentication if the attacker already has a low-privileged account [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any visitor's browser when they view an infected page. This can be used to inject redirects, display fake advertisements, steal session cookies, or perform other client-side attacks, potentially compromising the site's integrity and user trust [1].

Mitigation

The vendor released version 1.3.20 which resolves the issue by properly sanitizing output. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for the plugin. No workarounds besides updating are available [1].