CVE-2024-50429

The Magazine Blocks plugin for WordPress (versions up to and including 1.3.15) contains a DOM-based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw allows an attacker to inject arbitrary JavaScript into the DOM of a victim's browser, bypassing server-side sanitization [1].

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a specially crafted page, or submitting a form. The attack does not require direct interaction with the vulnerable plugin's admin interface but relies on the victim's browser executing the injected script [1].

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's session. This can be used to redirect visitors to malicious sites, display unauthorized advertisements, or inject other HTML payloads that compromise the integrity of the website [1].

The vulnerability has been addressed in version 1.3.18 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins to simplify remediation [1].