CVE-2024-6884
📋 TL;DR
This vulnerability allows authenticated users with contributor role or higher in WordPress to inject malicious scripts into pages/posts using the Kadence WP Gutenberg Blocks plugin. The stored XSS payload executes when other users view the compromised content, potentially stealing credentials or performing unauthorized actions. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Gutenberg Blocks with AI by Kadence WP WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers with contributor access could inject persistent malicious scripts that steal administrator credentials, hijack user sessions, deface websites, or redirect visitors to malicious sites when administrators or users view compromised content.
Likely Case
Malicious contributors or compromised contributor accounts inject tracking scripts, adware, or credential harvesting forms into posts that execute when editors, administrators, or site visitors view the content.
If Mitigated
With proper role-based access controls and content review workflows, malicious scripts would be detected during editorial review before publication, limiting impact to staging environments or draft content.
🎯 Exploit Status
Exploitation requires contributor-level access or higher. The vulnerability is in block option handling where user input isn't properly sanitized before output.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.39
Vendor Advisory: https://wpscan.com/vulnerability/1768de0c-e4ea-4c98-abf1-7ac805f214b8/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Gutenberg Blocks with AI by Kadence WP'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.2.39+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate kadence-blocks
Role Restriction
allTemporarily remove contributor role access or downgrade to subscriber role
wp user update USER_ID --role=subscriber
🧯 If You Can't Patch
- Implement strict content review workflow requiring editor/administrator approval before publishing contributor content
- Add web application firewall (WAF) rules to block common XSS payloads in POST requests to WordPress admin endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins, find 'Gutenberg Blocks with AI by Kadence WP' and verify version is below 3.2.39Check Version:
wp plugin get kadence-blocks --field=versionVerify Fix Applied:
Confirm plugin version is 3.2.39 or higher in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/post.php with script tags in parameters
- Multiple content updates from contributor accounts in short timeframes
- JavaScript execution errors in browser console logs for specific posts/pages
Network Indicators:
- Outbound connections to suspicious domains from WordPress admin sessions
- Unusual content-type headers in WordPress admin responses
SIEM Query:
source="wordpress.log" AND ("post.php" OR "admin-ajax.php") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")