CVE-2024-12304: 
WordPress vulnerability analysis and mitigation

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-12304) discovered in January 2025. The vulnerability affects all versions up to and including 3.4.2, allowing authenticated attackers with Contributor-level access or higher to inject malicious scripts via button block links (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the button block link functionality. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD CVE).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts into pages that execute whenever a user accesses the compromised page. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's browser (NVD CVE).

The vulnerability has been patched in version 3.4.3 of the plugin. Users are advised to update to this version or later to mitigate the risk (WordPress Patch).