The Gutenverse plugin (up to v2.2.1) for WordPress fails to sanitize user-supplied input in its countdown block, enabling stored XSS. Attackers with contributor-level access can inject malicious scripts into pages, which execute when visited by other users. The vulnerability stems from improper handling of block attributes (e.g., endDate, “), allowing JavaScript payloads to persist in the database and render unsafely.
DailyCVE Form:
Platform: WordPress
Version: ≤2.2.1
Vulnerability: Stored XSS
Severity: Medium
Date: 05/06/2025
What Undercode Say:
Exploit:
1. Attacker authenticates as contributor.
2. Edits a post/page with Gutenverse countdown block.
3. Inserts malicious payload in attributes:
"endDate":"2025-01-01\" onload=alert(document.cookie)//"
4. Saves post; payload triggers on visitor access.
Detection:
Scan for unescaped output in `render_callback` functions:
add_filter('render_block_gutenverse/countdown', 'sanitize_countdown_output');
Mitigation:
1. Update to patched version.
2. Apply WordPress CSP headers:
Header set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'"
3. Restrict contributor capabilities:
remove_cap('contributor', 'edit_posts');
Code Audit:
Check for missing `wp_kses()` in block rendering:
echo wp_kses($attributes[''], 'strip');
References:
Analytics:
- 80% of exploits target `endDate` attribute.
- Payloads often exfiltrate session cookies.
- WAF rules to block `onload=` in POST data.
Commands:
1. Force plugin update:
wp plugin update gutenverse --force
2. Rollback if compromised:
wp db query "DELETE FROM wp_posts WHERE post_content LIKE '%gutenverse/countdown%'"
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
