CVE-2024-2255
published 2024-03-20CVE-2024-2255: The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's…
PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.56%
42.3th percentile
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping on user supplied attributes such as listStyle. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpdeveloper | essential_blocks | < 4.5.3 | 4.5.3 |
| wpdevteam | gutenberg_essential_blocks_page_builder_for_gutenberg_blocks_patterns | <= 4.5.3 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9h2h-gpqp-6qgg: The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the p
ghsa_unreviewed·2024-03-20
CVE-2024-2255 [MEDIUM] CWE-79 GHSA-9h2h-gpqp-6qgg: The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the p
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.5.2 due to insufficient input sanitization and output escaping on user supplied attributes such as listStyle. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Red Hat
kernel: ALSA: memalloc: prefer dma_mapping_error() over explicit address checking
vendor_redhat·2025-01-11·CVSS 5.5
CVE-2024-57800 [MEDIUM] CWE-20 kernel: ALSA: memalloc: prefer dma_mapping_error() over explicit address checking
kernel: ALSA: memalloc: prefer dma_mapping_error() over explicit address checking
In the Linux kernel, the following vulnerability has been resolved:
ALSA: memalloc: prefer dma_mapping_error() over explicit address checking
With CONFIG_DMA_API_DEBUG enabled, the following warning is observed:
DMA-API: snd_hda_intel 0000:03:00.1: device driver failed to check map error[device address=0x00000000ffff0000] [size=20480 bytes] [mapped as single]
WARNING: CPU: 28 PID: 2255 at kernel/dma/debug.c:1036 check_unmap+0x1408/0x2430
CPU: 28 UID: 42 PID: 2255 Comm: wireplumber Tainted: G W L 6.12.0-10-133577cad6bf48e5a7848c4338124081393bfe8a+ #759
debug_dma_unmap_page+0xe9/0xf0
snd_dma_wc_free+0x85/0x130 [snd_pcm]
snd_pcm_lib_free_pages+0x1e3/0x440 [snd_pcm]
snd_pcm_common_ioctl+0x1c9a/0x2960 [snd_pcm]
s
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/essential-blocks/tags/4.5.2/blocks/TableOfContents.php#L120https://plugins.trac.wordpress.org/changeset/3053199/essential-blocks/trunk/blocks/TableOfContents.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/cfcd59ae-085f-47d2-a4d2-2d1239f035d2?source=cvehttps://plugins.trac.wordpress.org/browser/essential-blocks/tags/4.5.2/blocks/TableOfContents.php#L120https://plugins.trac.wordpress.org/changeset/3053199/essential-blocks/trunk/blocks/TableOfContents.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/cfcd59ae-085f-47d2-a4d2-2d1239f035d2?source=cve
2024-03-20
Published