CVE-2024-8288
Description
The Guten Post Layout – An Advanced Post Grid Collection for WordPress Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the 'wp:guten-post-layout/post-grid' Gutenberg block in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Guten Post Layout plugin for WordPress (≤1.2.4) has a stored XSS vulnerability in the 'align' attribute of the post-grid block, exploitable by contributors.
The Guten Post Layout plugin for WordPress (versions up to and including 1.2.4) suffers from a stored cross-site scripting vulnerability via the 'align' attribute within the wp:guten-post-layout/post-grid Gutenberg block. The flaw stems from insufficient input sanitization and output escaping, allowing malicious HTML or JavaScript to be stored in the database [1].
To exploit this, an attacker must be an authenticated user with at least Contributor-level access. They can craft a post or page using the vulnerable block and inject arbitrary web scripts through the 'align' attribute. When any user accesses the injected page, the script executes in their browser [1].
Successful exploitation can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability is rated medium severity (CVSS 6.4) and affects all plugin versions up to and including 1.2.4 [1].
The vendor has addressed the issue in version 1.2.5. Users are strongly advised to update their installations immediately to mitigate the risk [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/guten-post-layout/trunk/src/blocks/post-grid/post-grid.phpnvd
- plugins.trac.wordpress.org/browser/guten-post-layout/trunk/src/blocks/post-grid/post-grid.phpnvd
- plugins.trac.wordpress.org/changeset/3171324/guten-post-layout/trunk/src/blocks/post-grid/post-grid.phpnvd
- wordpress.org/plugins/guten-post-layout/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/5d6d9852-424a-4d98-9926-e849bef99c2dnvd
News mentions
0No linked articles in our index yet.