CVE-2024-12581: 
WordPress vulnerability analysis and mitigation

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-12581) affecting all versions up to and including 3.2.53. The vulnerability was discovered and disclosed on December 13, 2024, affecting WordPress installations where the plugin is active. This security issue specifically impacts multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the admin settings of the plugin. The flaw allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. The severity is rated as MEDIUM with a CVSS v3.1 base score of 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) according to NVD, while Wordfence assessed it with a slightly lower score of 4.4 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) (NVD).

When exploited, the vulnerability allows injected malicious scripts to execute whenever a user accesses an affected page. This can potentially lead to unauthorized access to sensitive information and compromise of website functionality. The impact is particularly concerning for multi-site installations and systems where unfiltered_html has been disabled (NVD).

The vulnerability has been patched in version 3.2.54 of the Gutenberg Blocks with AI plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk. For installations unable to update immediately, restricting administrator access and monitoring for suspicious activity in the admin settings is recommended (NVD).