CVE-2024-6346 is a stored cross-site scripting vulnerability found in the Gutenberg Blocks, Page Builder – ComboBlocks plugin for WordPress, specifically affecting all versions up to and including 2.2.85a. The vulnerability arises from improper neutralization of input (CWE-79) in the redirectURL parameter of the Date Countdown widget. Due to insufficient sanitization and output escaping of user-supplied attributes, authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code into pages. These malicious scripts are stored persistently and execute whenever any user accesses the infected page, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability does not require user interaction, and the attack can be launched remotely over the network with low complexity. The CVSS v3.1 score of 6.4 reflects a medium severity rating, indicating a moderate impact on confidentiality and integrity but no impact on availability. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level access to untrusted users. The lack of a patch link suggests that users should monitor vendor updates closely or implement temporary mitigations such as restricting contributor privileges or disabling the vulnerable widget.

The primary impact of CVE-2024-6346 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Exploitation allows attackers to inject persistent malicious scripts that execute in the context of other users’ browsers, enabling theft of session cookies, credentials, or other sensitive data. This can lead to unauthorized account access, privilege escalation, or manipulation of site content. Since the vulnerability requires contributor-level access, attackers must first gain some level of authenticated access, which may be feasible in multi-user environments or sites with weak access controls. The vulnerability does not affect availability directly but can facilitate further attacks that degrade trust and site integrity. Organizations relying on this plugin for content management or marketing may face reputational damage, data breaches, or compliance issues if exploited. The risk is heightened for sites with high traffic or sensitive user data, as well as those with multiple contributors or less stringent access policies.

To mitigate CVE-2024-6346, organizations should immediately update the Gutenberg Blocks, Page Builder – ComboBlocks plugin to a patched version once released by the vendor. Until a patch is available, restrict contributor-level access to trusted users only and audit existing user permissions to minimize risk. Disable or remove the Date Countdown widget if it is not essential to reduce the attack surface. Implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the redirectURL parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Regularly monitor logs and user activity for signs of exploitation attempts or anomalous behavior. Conduct security awareness training for contributors to recognize phishing or social engineering attempts that could lead to account compromise. Finally, maintain regular backups and incident response plans to quickly recover from any successful attacks.