CVE-2024-6296

Vulnerability

The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 3.13.1. The vulnerability resides in insufficient input sanitization and output escaping of the 'data-caption' parameter, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts.

Exploitation

An attacker must have at least Contributor-level access to the WordPress site. They can inject malicious JavaScript into the 'data-caption' parameter of a Stackable block. When any user (including administrators) views the page containing the injected block, the script executes in their browser.

Impact

Successful exploitation leads to Stored XSS, enabling the attacker to execute arbitrary scripts in the context of the victim's session. This can result in session hijacking, defacement, or redirection to malicious sites. The attack does not require any user interaction beyond viewing the affected page.

Mitigation

The vendor has released version 3.19.8 (as per the WordPress plugin repository [1]), which likely includes a fix. Users should update to the latest version immediately. No workaround is available for older versions. The plugin is actively maintained.