CVE-2024-2919: 
WordPress vulnerability analysis and mitigation

The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-2919) discovered in the CountUp Widget component. The vulnerability affects all versions up to and including 3.2.31, and was disclosed on April 3, 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the CountUp Widget component. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assigned a score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

A patch has been released in version 3.2.32 of the Kadence Blocks plugin. Site administrators are strongly advised to update to this latest version to mitigate the vulnerability (WordPress Patch).