CVE-2024-8318

Published
View on NVD ↗
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT

Description

The Attributes for Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘attributesForBlocks’ parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Attributes for Blocks
Attributes for Blocks
<p>This plugin adds additional advanced inspector controls to Gutenberg blocks that allow to add any custom HTML attributes to the block&#8217;s front-end output. This allows you to add inline styles to fine-tune the block&#8217;s appearance, set aria attributes to improve your site&#8217;s accessibility, add data attributes to integrate with any JavaScript modules or even JavaScript DOM event attributes such as <code>onclick</code>, <code>onchange</code> or <code>onload</code>.</p> <p><a href="https://playground.wordpress.net/?plugin=attributes-for-blocks&amp;url=%2Fwp-admin%2Fpost.php%3Fpost%3D2%26action%3Dedit" rel="nofollow ugc">Demo</a></p>
WordPress Plugin DirectoryWordPress Plugin Directory
46K