CVE-2024-13733
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into website pages using the SKT Blocks plugin's post-carousel block. The scripts are stored and execute whenever visitors access the affected pages, enabling potential account hijacking, data theft, or malware distribution. All WordPress sites using SKT Blocks plugin versions up to 1.7 are affected.
💻 Affected Systems
- SKT Blocks – Gutenberg based Page Builder WordPress plugin
📦 What is this software?
Skt Blocks by Sktthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, install malware on visitor devices, or deface the entire website.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, redirect users to phishing pages, or display unwanted advertisements.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential defacement of specific pages containing the vulnerable block.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor credentials. Public proof-of-concept exists in the WordPress plugin repository changes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8 or later
Vendor Advisory: https://wordpress.org/plugins/skt-blocks/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'SKT Blocks – Gutenberg based Page Builder'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.8+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable block
allRemove or disable the post-carousel block from all pages and posts
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Review and audit all contributor-level user accounts, removing unnecessary accounts and ensuring strong passwords
- Implement web application firewall rules to detect and block XSS payloads in POST requests to WordPress
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → SKT Blocks version. If version is 1.7 or lower, you are vulnerable.Check Version:
wp plugin list --name=skt-blocks --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify SKT Blocks plugin version shows 1.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with skt-blocks parameters
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected JavaScript payloads in page responses
SIEM Query:
source="wordpress.log" AND ("skt-blocks" OR "post-carousel") AND ("script" OR "javascript" OR "onclick")🔗 References
- https://plugins.trac.wordpress.org/browser/skt-blocks/trunk/src/blocks/post-carousel/index.php#L751
- https://plugins.trac.wordpress.org/changeset/3233980/
- https://wordpress.org/plugins/skt-blocks
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a84999-bd1b-4b86-9fa1-09c20b50ce37?source=cve
