CVE-2024-5819 is a DOM-based stored Cross-Site Scripting (XSS) vulnerability identified in the Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied HTML data attributes. The flaw affects all plugin versions up to 3.2.45. An attacker with authenticated contributor-level access or higher can inject arbitrary JavaScript code into page content via these HTML data attributes. Because the malicious script is stored in the page content, it executes in the context of any user who views the infected page, potentially allowing session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability does not require user interaction beyond page access and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The scope is considered changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges. No patches or exploit code are currently publicly available, but the risk remains significant for sites using this plugin with contributor-level users. The root cause is a failure to properly sanitize and escape HTML data attributes before rendering them in the DOM, enabling malicious script injection.

The primary impact of CVE-2024-5819 is on the confidentiality and integrity of affected WordPress sites using the vulnerable plugin. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of sensitive information, unauthorized content modifications, or execution of administrative actions if higher-privileged users view the infected pages. Although availability is not directly impacted, the trustworthiness and security posture of the affected site can be severely compromised. Organizations with multiple contributors or editors are at higher risk, as these roles can be leveraged to exploit the vulnerability. The widespread use of WordPress and the popularity of Kadence WP plugins mean that many websites globally could be affected, especially those that do not restrict contributor privileges or lack additional input validation controls. The vulnerability could be leveraged in targeted attacks against organizations relying on this plugin for page building and AI content features.

To mitigate CVE-2024-5819, organizations should first update the Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin to a patched version once it becomes available. Until a patch is released, restrict contributor-level and higher user roles to trusted individuals only, minimizing the risk of malicious script injection. Implement additional input validation and sanitization on user-generated content, especially for HTML data attributes, using security-focused WordPress plugins or custom code. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly audit user roles and permissions to ensure least privilege principles are enforced. Monitor site content for unexpected script injections or anomalies. Consider disabling or limiting the use of vulnerable blocks or features within the plugin if feasible. Finally, educate content contributors about safe content practices and the risks of injecting untrusted code.