CVE-2024-2509

moderate-risk

Published 2024-04-05

The Gutenberg Blocks by Kadence Blocks WordPress plugin before 3.2.26 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Do I need to act?

0.21% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Gutenberg Blocks With Ai

Affected Vendors

Kadencewp

References (4)

Exploit https://research.cleantalk.org/cve-2024-2509/

Exploit https://wpscan.com/vulnerability/dec4a632-e04b-4fdd-86e4-48304b892a4f/

Exploit https://research.cleantalk.org/cve-2024-2509/

Exploit https://wpscan.com/vulnerability/dec4a632-e04b-4fdd-86e4-48304b892a4f/

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal