CVE-2024-8760 is a CSS injection vulnerability classified under CWE-94 (Improper Control of Generation of Code) found in the Stackable – Page Builder Gutenberg Blocks WordPress plugin, versions up to and including 3.13.6. The vulnerability allows unauthenticated attackers to inject malicious CSS code into comments, which can be rendered by the plugin. This injection can be leveraged to exfiltrate sensitive data such as admin nonces—security tokens used to verify legitimate requests in WordPress. Although the direct impact is limited to confidentiality, these nonces can facilitate Cross-Site Request Forgery (CSRF) attacks within their validity period. The vulnerability's risk is compounded when other plugins are present that expose additional nonces or AJAX endpoints without proper capability checks, potentially allowing attackers to perform unauthorized actions. The attack vector requires no authentication or user interaction, making it easier to exploit remotely. However, the impact is constrained by the limited scope of data exfiltration and the transient nature of nonces. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions of the Stackable plugin up to 3.13.6 and is relevant to WordPress sites using this plugin, which is popular for building Gutenberg blocks. The CVSS v3.1 score of 5.3 reflects the medium severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact.

The primary impact of CVE-2024-8760 is on the confidentiality of affected WordPress sites using the Stackable plugin. By injecting malicious CSS, attackers can exfiltrate admin nonces, which are security tokens that protect against unauthorized actions. If attackers obtain these nonces, they can perform CSRF attacks within the nonce validity window, potentially executing unauthorized administrative actions. The impact is limited if the site has proper capability checks on AJAX actions and other endpoints; however, in environments with additional vulnerable plugins lacking such checks, the risk escalates, potentially leading to privilege escalation or unauthorized data manipulation. Although the vulnerability does not directly affect integrity or availability, the ability to perform CSRF attacks can indirectly compromise site integrity. The ease of exploitation without authentication and user interaction increases the threat surface, especially for publicly accessible WordPress sites. Organizations relying on this plugin may face data leakage, unauthorized administrative actions, and reputational damage if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the need for remediation.

1. Immediate mitigation involves updating the Stackable – Page Builder Gutenberg Blocks plugin to a patched version once available. Monitor vendor announcements for official patches. 2. In the absence of a patch, implement Web Application Firewall (WAF) rules to detect and block suspicious CSS injection patterns in comments and other user inputs. 3. Review and harden capability checks on all AJAX endpoints and actions exposed by other plugins to ensure that only authorized users can perform sensitive operations. 4. Limit the lifetime and scope of admin nonces where possible to reduce the window of opportunity for CSRF attacks. 5. Disable or restrict comments if not necessary, or implement stricter input sanitization and validation for comment content. 6. Conduct regular security audits and penetration testing focusing on plugin interactions and nonce handling. 7. Educate site administrators about the risks of installing plugins without proper security reviews and encourage minimal plugin use. 8. Monitor logs for unusual activity related to nonce usage or AJAX calls that could indicate exploitation attempts. These steps provide layered defense beyond generic advice, addressing the specific exploitation vectors and environment factors.