CVE-2024-5289
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts via the Google Maps widget in the Kadence Blocks plugin. The scripts are stored and execute whenever other users view pages containing the injected widget. All WordPress sites using vulnerable versions of the plugin are affected.
💻 Affected Systems
- Kadence Blocks - Gutenberg Blocks for Page Builder Features
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users.
Likely Case
Attackers with contributor accounts inject malicious scripts that steal session cookies or redirect users to phishing pages.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential defacement or minor data leakage.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.43 or later
Vendor Advisory: https://wordpress.org/plugins/kadence-blocks/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Kadence Blocks' and click 'Update Now'. 4. Verify version is 3.2.43 or higher.
🔧 Temporary Workarounds
Disable Google Maps Block
allTemporarily disable the vulnerable Google Maps block component
Edit wp-config.php and add: define('DISABLE_KADENCE_GOOGLEMAPS', true);
Restrict User Roles
allRemove contributor-level editing capabilities from untrusted users
Use WordPress role management plugins or custom code to restrict block editing permissions
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Remove contributor access from all untrusted users and audit existing contributor accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Kadence Blocks version. If version is 3.2.42 or lower, you are vulnerable.Check Version:
wp plugin get kadence-blocks --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 3.2.43 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/post.php with Google Maps parameters
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Unexpected script tags in page responses containing 'kadence-blocks-googlemaps'
SIEM Query:
source="wordpress.log" AND ("kadence-blocks" OR "googlemaps") AND (POST /wp-admin/post.php)🔗 References
- https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.2.38/includes/blocks/class-kadence-blocks-googlemaps-block.php#L226
- https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.2.42/includes/blocks/class-kadence-blocks-googlemaps-block.php#L237
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f9c0ad1e-380e-4b67-b07e-70bf44e4e614?source=cve
- https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.2.38/includes/blocks/class-kadence-blocks-googlemaps-block.php#L226
- https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.2.42/includes/blocks/class-kadence-blocks-googlemaps-block.php#L237
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f9c0ad1e-380e-4b67-b07e-70bf44e4e614?source=cve
