CVE-2024-52357: 
WordPress vulnerability analysis and mitigation

The LIQUID BLOCKS WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-52357) affecting versions up to and including 1.2.0. The vulnerability was discovered on November 8, 2024, and stems from insufficient input sanitization and output escaping in the plugin (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.4 (Medium) from NVD and 6.5 (Medium) from Patchstack. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) with low impacts on confidentiality and integrity (NVD).

This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other malicious actions (WPScan).

The vulnerability has been fixed in version 1.3.0 of the LIQUID BLOCKS plugin. Site administrators are strongly advised to update to this version or later to remediate the security risk (Patchstack).