CVE-2024-8241 is a stored cross-site scripting vulnerability identified in the Nova Blocks by Pixelgrade plugin for WordPress, specifically affecting the 'align' attribute of the 'wp:separator' Gutenberg block. The root cause is insufficient input sanitization and output escaping of user-supplied attributes, which allows an attacker with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability affects all versions up to and including 2.1.7. Exploitation requires authenticated access but no additional user interaction. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change with low confidentiality and integrity impacts but no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or editors. The vulnerability was published on September 10, 2024, and is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).

This vulnerability can lead to persistent cross-site scripting attacks, enabling attackers to execute arbitrary scripts in the context of affected websites. The impact includes potential theft of user credentials or session cookies, unauthorized actions performed on behalf of users, defacement of web content, and the spread of malware or phishing attacks. Since the vulnerability requires contributor-level access, attackers who have compromised or gained such privileges can leverage this flaw to escalate their impact. Organizations running WordPress sites with the Nova Blocks plugin are at risk of reputational damage, data breaches, and loss of user trust. The scope of the attack can extend to all users who visit the compromised pages, including administrators, editors, and site visitors, increasing the potential damage. Although no known exploits are currently in the wild, the medium severity score and ease of exploitation by authenticated users make timely remediation critical.

To mitigate this vulnerability, organizations should immediately update the Nova Blocks by Pixelgrade plugin to a version that addresses this issue once available. Until a patch is released, administrators should restrict contributor-level access to trusted users only and review existing content for suspicious scripts or injected code. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'align' attribute in Gutenberg blocks can provide temporary protection. Additionally, site owners should enforce strict input validation and output escaping practices in custom code and plugins. Regular security audits and monitoring for unusual user activity or content changes can help detect exploitation attempts early. Educating contributors about safe content practices and limiting plugin usage to trusted sources also reduces risk.