Skip to main content

CVE-2023-7071: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Medium
VulnerabilityCVE-2023-7071cvecve-2023-7071cwe-79
Published: Thu Jan 11 2024 (01/11/2024, 08:33:09 UTC)
Source: CVE Database V5
Vendor/Project: wpdevteam
Product: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Description

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI-Powered Analysis

AILast updated: 07/04/2025, 15:26:57 UTC

Technical Analysis

CVE-2023-7071 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin "Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates" developed by wpdevteam. This vulnerability affects all versions up to and including 4.4.6. The flaw arises from improper input sanitization and output escaping in the Table of Contents block, which allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected website. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based with low attack complexity, requires privileges (contributor or higher), does not require user interaction, and impacts confidentiality and integrity with a scope change (meaning the vulnerability can affect resources beyond the initially compromised component). No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. The vulnerability's exploitation requires authenticated access, limiting the attack surface to users who have at least contributor permissions on the WordPress site. However, given the widespread use of this plugin for building Gutenberg blocks and page layouts, the vulnerability poses a significant risk to websites using it, especially those with multiple contributors or editors.

Potential Impact

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, potentially compromising user data, stealing authentication tokens, or defacing websites. Organizations relying on the Essential Blocks plugin for content management and page building may face risks of data leakage or manipulation, especially if contributor accounts are compromised or misused. The vulnerability could be exploited to conduct targeted attacks against site administrators or visitors, undermining trust and potentially leading to reputational damage. Since many European businesses and public sector entities use WordPress for their web presence, the impact includes potential breaches of GDPR requirements related to data protection and user privacy. Additionally, the scope change in the CVSS vector indicates that the vulnerability could affect other components or users beyond the initially compromised contributor account, increasing the risk of broader compromise within the affected website environment.

Mitigation Recommendations

European organizations should immediately audit their WordPress installations to identify the presence of the Essential Blocks – Page Builder Gutenberg Blocks plugin, particularly versions up to 4.4.6. Until an official patch is released, organizations should consider the following mitigations: 1) Restrict contributor-level access strictly to trusted users and review user roles and permissions to minimize the number of users who can inject content. 2) Implement Web Application Firewall (WAF) rules that detect and block suspicious script injections in POST requests related to the Table of Contents block. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 5) Educate content contributors about the risks of injecting untrusted content and enforce strict content review processes before publishing. 6) Regularly back up website data to enable quick restoration in case of compromise. Once a patch is available, prioritize updating the plugin to the fixed version to fully remediate the vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2023-12-21T21:34:48.129Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683f034b182aa0cae27e666c

Added to database: 6/3/2025, 2:14:35 PM

Last enriched: 7/4/2025, 3:26:57 PM

Last updated: 8/17/2025, 1:10:05 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats