CVE-2024-51869

Vulnerability

Details

The Gutenium Blocks plugin for WordPress, in versions 1.1.7 and earlier, suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. The flaw exists in the gutenium component, where unvalidated or unsanitized input can be persistently stored and later rendered in the browser of site visitors [1].

Exploitation

Exploitation requires an authenticated user with at least Author-level privileges, who can create or edit posts containing the vulnerable Gutenium block. A malicious user can inject arbitrary JavaScript or HTML payloads into the block's content. When a site visitor loads the affected page, the injected script executes in their browser session without requiring any further user interaction [1].

Impact

Successful exploitation enables an attacker to perform a range of actions, including redirecting visitors to malicious sites, injecting advertisements, stealing session cookies, or defacing the page. Because the payload is stored, every subsequent visitor to the compromised page is affected, amplifying the attack's reach — a characteristic exploited in mass WordPress campaigns [1].

Mitigation

The vendor has not released a patched version beyond 1.1.7 as of the advisory date. Immediate remediation requires updating the plugin to the latest available version or, if no update exists, disabling the plugin entirely. Temporary workarounds include applying a web application firewall rule to block suspicious block inputs, though updating is the definitive fix [1].