CVE-2023-7071: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Analysis
Technical Summary
CVE-2023-7071 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin "Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates" developed by wpdevteam. This vulnerability affects all versions up to and including 4.4.6. The flaw arises from improper input sanitization and output escaping in the Table of Contents block, which allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected website. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based with low attack complexity, requires privileges (contributor or higher), does not require user interaction, and impacts confidentiality and integrity with a scope change (meaning the vulnerability can affect resources beyond the initially compromised component). No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. The vulnerability's exploitation requires authenticated access, limiting the attack surface to users who have at least contributor permissions on the WordPress site. However, given the widespread use of this plugin for building Gutenberg blocks and page layouts, the vulnerability poses a significant risk to websites using it, especially those with multiple contributors or editors.
Potential Impact
For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, potentially compromising user data, stealing authentication tokens, or defacing websites. Organizations relying on the Essential Blocks plugin for content management and page building may face risks of data leakage or manipulation, especially if contributor accounts are compromised or misused. The vulnerability could be exploited to conduct targeted attacks against site administrators or visitors, undermining trust and potentially leading to reputational damage. Since many European businesses and public sector entities use WordPress for their web presence, the impact includes potential breaches of GDPR requirements related to data protection and user privacy. Additionally, the scope change in the CVSS vector indicates that the vulnerability could affect other components or users beyond the initially compromised contributor account, increasing the risk of broader compromise within the affected website environment.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the Essential Blocks – Page Builder Gutenberg Blocks plugin, particularly versions up to 4.4.6. Until an official patch is released, organizations should consider the following mitigations: 1) Restrict contributor-level access strictly to trusted users and review user roles and permissions to minimize the number of users who can inject content. 2) Implement Web Application Firewall (WAF) rules that detect and block suspicious script injections in POST requests related to the Table of Contents block. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 5) Educate content contributors about the risks of injecting untrusted content and enforce strict content review processes before publishing. 6) Regularly back up website data to enable quick restoration in case of compromise. Once a patch is available, prioritize updating the plugin to the fixed version to fully remediate the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2023-7071: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Description
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI-Powered Analysis
Technical Analysis
CVE-2023-7071 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin "Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates" developed by wpdevteam. This vulnerability affects all versions up to and including 4.4.6. The flaw arises from improper input sanitization and output escaping in the Table of Contents block, which allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected website. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based with low attack complexity, requires privileges (contributor or higher), does not require user interaction, and impacts confidentiality and integrity with a scope change (meaning the vulnerability can affect resources beyond the initially compromised component). No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. The vulnerability's exploitation requires authenticated access, limiting the attack surface to users who have at least contributor permissions on the WordPress site. However, given the widespread use of this plugin for building Gutenberg blocks and page layouts, the vulnerability poses a significant risk to websites using it, especially those with multiple contributors or editors.
Potential Impact
For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, potentially compromising user data, stealing authentication tokens, or defacing websites. Organizations relying on the Essential Blocks plugin for content management and page building may face risks of data leakage or manipulation, especially if contributor accounts are compromised or misused. The vulnerability could be exploited to conduct targeted attacks against site administrators or visitors, undermining trust and potentially leading to reputational damage. Since many European businesses and public sector entities use WordPress for their web presence, the impact includes potential breaches of GDPR requirements related to data protection and user privacy. Additionally, the scope change in the CVSS vector indicates that the vulnerability could affect other components or users beyond the initially compromised contributor account, increasing the risk of broader compromise within the affected website environment.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the Essential Blocks – Page Builder Gutenberg Blocks plugin, particularly versions up to 4.4.6. Until an official patch is released, organizations should consider the following mitigations: 1) Restrict contributor-level access strictly to trusted users and review user roles and permissions to minimize the number of users who can inject content. 2) Implement Web Application Firewall (WAF) rules that detect and block suspicious script injections in POST requests related to the Table of Contents block. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 5) Educate content contributors about the risks of injecting untrusted content and enforce strict content review processes before publishing. 6) Regularly back up website data to enable quick restoration in case of compromise. Once a patch is available, prioritize updating the plugin to the fixed version to fully remediate the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2023-12-21T21:34:48.129Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683f034b182aa0cae27e666c
Added to database: 6/3/2025, 2:14:35 PM
Last enriched: 7/4/2025, 3:26:57 PM
Last updated: 8/17/2025, 1:10:05 AM
Views: 11
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.