CVE-2024-13675 is a stored cross-site scripting (XSS) vulnerability identified in the SlingBlocks – Gutenberg Blocks by FunnelKit (formerly WooFunnels) WordPress plugin, specifically within the "Icon List" block functionality. This vulnerability exists due to insufficient sanitization of user input and inadequate escaping of output during web page generation, categorized under CWE-79. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts via the vulnerable block. Because the malicious script is stored persistently, it executes every time the affected page is loaded by any user, including administrators and visitors. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, and requiring privileges (authenticated contributor or higher). The scope is changed, meaning the vulnerability can affect components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. The impact includes limited confidentiality and integrity loss, as attackers can steal session cookies, perform actions on behalf of users, or deface content. Availability is not impacted. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used in WordPress environments that utilize Gutenberg blocks for content creation, especially in e-commerce and marketing sites leveraging FunnelKit’s tools.

The primary impact of this vulnerability is the potential for attackers with Contributor-level access to execute persistent malicious scripts on affected WordPress sites. This can lead to session hijacking, unauthorized actions performed in the context of higher-privileged users (such as editors or administrators), defacement of web content, and distribution of malware to site visitors. Since the vulnerability is stored XSS, it affects all users who view the compromised pages, increasing the attack surface. Organizations relying on this plugin for content management or e-commerce may face reputational damage, data leakage, and unauthorized access to sensitive administrative functions. The medium CVSS score reflects moderate risk, but the real-world impact could be significant if attackers escalate privileges or combine this with other vulnerabilities. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but many WordPress sites allow contributors or similar roles, making this a realistic threat. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

1. Immediate upgrade: Organizations should update the SlingBlocks – Gutenberg Blocks by FunnelKit plugin to a version where this vulnerability is patched once available. Monitor vendor announcements for patches. 2. Restrict contributor permissions: Limit the number of users with Contributor-level or higher access, applying the principle of least privilege. 3. Input validation and output escaping: Site administrators or developers can implement additional server-side input sanitization and output escaping for the "Icon List" block content as a temporary mitigation. 4. Web Application Firewall (WAF): Deploy or update WAF rules to detect and block malicious script payloads targeting this vulnerability. 5. Monitor logs and user activity: Watch for unusual contributor behavior or unexpected content changes that may indicate exploitation attempts. 6. Educate users: Train content contributors on safe content practices and the risks of injecting untrusted scripts. 7. Disable or remove the vulnerable block: If patching is not immediately possible, consider disabling the "Icon List" block or the entire plugin to prevent exploitation. 8. Regular security audits: Conduct periodic vulnerability scans and penetration tests focusing on WordPress plugins and user-generated content.