CVE-2024-1999: 
WordPress vulnerability analysis and mitigation

The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-1999. The vulnerability affects all versions up to and including 3.2.25, specifically in the Testimonial Widget's anchor style parameter. This security issue was discovered due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NIST, and 6.4 (Medium) according to Wordfence. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L). The vulnerability exists in the Testimonial Widget component where insufficient input sanitization and output escaping allows for script injection (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized actions, data theft, or session hijacking (NVD).

Users should update their Kadence Blocks plugin to a version newer than 3.2.25. A patch has been released to address the vulnerability, as evidenced by the WordPress plugin repository changes (WordPress Patch).