CVE-2024-8760: 
WordPress vulnerability analysis and mitigation

The Stackable – Page Builder Gutenberg Blocks plugin for WordPress contains a CSS Injection vulnerability (CVE-2024-8760) affecting all versions up to and including 3.13.6. This vulnerability was discovered and reported by Wordfence, with a CVSS v3.1 base score of 5.3 (Medium) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to embed untrusted style information into comments. This CSS injection vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and has been assigned a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD).

The vulnerability can result in data exfiltration of admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, potentially increasing the risk for plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users (NVD).

Users should update to a version newer than 3.13.6 of the Stackable – Page Builder Gutenberg Blocks plugin to address this vulnerability (NVD).