CVE-2024-8760

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-8760
The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3158674%40stackable-ultimate-gutenberg-blocks%2Ftrunk&old=3156448%40stackable-ultimate-gutenberg-blocks%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/1fd0b13c-7447-45da-9608-80b7629d9bbf?source=cve
Configurations

No configuration.

History

15 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) El complemento Stackable – Page Builder Gutenberg Blocks para WordPress es vulnerable a la inyección de CSS en todas las versiones hasta la 3.13.6 incluida. Esto permite que atacantes no autenticados incorporen información de estilo no confiable en los comentarios, lo que genera la posibilidad de exfiltración de datos, como nonces de administración, con un impacto limitado. Estos nonces podrían usarse para realizar ataques CSRF dentro de un período de tiempo limitado. La presencia de otros complementos puede hacer que haya nonces adicionales disponibles, lo que puede representar un riesgo en complementos que no realizan verificaciones de capacidad para proteger acciones AJAX u otras acciones a las que puedan acceder usuarios con menos privilegios.

12 Oct 2024, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-12 09:15

Updated : 2024-10-15 12:57

NVD link : CVE-2024-8760

Mitre link : CVE-2024-8760

CVE.ORG link : CVE-2024-8760

JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')