CVE-2024-12304 is a stored cross-site scripting (XSS) vulnerability identified in the Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress, affecting all versions up to and including 3.4.2. The vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation. Specifically, the flaw exists in the handling of the button block link, where insufficient input sanitization and output escaping allow authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code. This malicious code is stored persistently in the WordPress database and executed whenever any user accesses the affected page, enabling attackers to perform actions such as session hijacking, privilege escalation, or content manipulation. The vulnerability requires authentication but no additional user interaction, and the attack surface includes any site using this plugin with the vulnerable versions. The CVSS v3.1 score of 6.4 indicates a medium severity, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to potential impact on other users. Although no known exploits are currently in the wild, the widespread use of WordPress and this plugin makes timely remediation critical. The vulnerability highlights the importance of rigorous input validation and output encoding in web application components, especially those that allow user-generated content to be rendered dynamically.

The impact of CVE-2024-12304 on organizations worldwide can be significant, particularly for those relying on the Gutenberg Blocks with AI by Kadence WP plugin for their WordPress sites. Successful exploitation allows attackers with Contributor-level access to inject persistent malicious scripts, which execute in the browsers of any users visiting the compromised pages. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts, including potentially administrative accounts if session tokens are stolen. Attackers could also manipulate page content, deface websites, or redirect users to malicious sites, damaging organizational reputation and user trust. While the vulnerability does not directly affect availability, the integrity and confidentiality of site data and user information are at risk. Given WordPress's extensive global usage, especially among small to medium enterprises, blogs, and e-commerce sites, the vulnerability could be leveraged for targeted attacks or broader campaigns. The requirement for authenticated access limits the attacker's initial entry point but does not eliminate risk, as Contributor-level accounts are common in collaborative environments. The scope of impact extends beyond the initial attacker, affecting all visitors to the infected pages, thus amplifying potential damage.

To mitigate CVE-2024-12304, organizations should first update the Gutenberg Blocks with AI by Kadence WP plugin to a version where the vulnerability is patched once available. Until a patch is released, administrators should restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script payloads in input fields related to the button block link can provide interim protection. Site owners should audit existing content for injected scripts and remove any suspicious code. Enforcing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting the execution of unauthorized scripts. Additionally, hardening WordPress installations by disabling unnecessary plugins, enforcing strong authentication mechanisms, and regularly monitoring logs for unusual activities will help detect and prevent exploitation attempts. Educating content contributors about safe input practices and the risks of injecting untrusted content is also beneficial. Finally, security teams should prepare incident response plans to quickly address any detected exploitation.