WordPress, the world’s most popular content management system, boasts an extensive library of plugins designed to extend its functionality. While these plugins offer incredible benefits, they also introduce potential security vulnerabilities. One such vulnerability, identified as CVE-2024-4655, affects the Ultimate Blocks plugin, which is installed on over 50,000 websites. This vulnerability allows attackers to execute Stored Cross-Site Scripting (XSS) attacks, leading to severe consequences, including the creation of admin accounts by unauthorized users.

PluginUltimate Blocks < 3.1.9
All Time1 391 292
Active installations50 000+
Publicly PublishedJune 27, 2024
Last UpdatedJune 27, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4655
Plugin Security Certification by CleanTalk
Logo of the plugin


May 4, 2024Plugin testing and vulnerability detection in the Ultimate Blocks have been completed
May 4, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
June 27, 2024Registered CVE-2024-4655

Discovery of the Vulnerability

During routine security testing of the Ultimate Blocks plugin, a critical vulnerability was discovered. This plugin, known for enhancing the Gutenberg editor with additional block options, was found to have a Stored XSS flaw. Specifically, the issue was traced to the “tabbed-content-block” feature, where improper sanitization of user input could be exploited. The vulnerability allows a contributor, or any user with similar permissions, to embed malicious JavaScript code into a post, which could then be executed in the browser of an admin user.

Understanding of Stored XSS attack’s

Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications. It allows attackers to inject malicious scripts into content that is delivered to other users. There are three main types of XSS: Reflected, Stored, and DOM-based. Stored XSS, the most severe type, occurs when the malicious code is permanently stored on the target server, such as within a database, and then displayed to users when they view the infected content.

WordPress, with its vast ecosystem of themes and plugins, is particularly susceptible to XSS attacks. For instance, past vulnerabilities have been found in popular plugins like Contact Form 7 and WP-Statistics, where attackers exploited XSS flaws to gain unauthorized access or deface websites.

Exploiting the Stored XSS Vulnerability

To exploit the vulnerability in the Ultimate Blocks plugin, an attacker with contributor-level access would follow these steps:


Create a new Post and add “tabbed-content-block” block. Change “tabsAnchor” field to 123″ onmouseover=alert(1) 


The implications of such a vulnerability are vast and alarming. In real-world scenarios, an attacker could exploit this flaw to inject code that creates a backdoor admin account. This new account would allow the attacker to bypass all security measures and gain full control over the website. They could then deface the site, steal sensitive data, or even use the site to distribute malware to unsuspecting visitors.

For a business, this could mean a severe loss of customer trust, potential legal liabilities, and significant financial damage. For personal bloggers or small businesses, the impact could be equally devastating, leading to loss of valuable content and disruption of online presence.

Recommendations for Improved Security

To mitigate such risks, website administrators and plugin developers should follow these best practices:

  1. Regular Updates: Always keep WordPress core, themes, and plugins updated to the latest versions.
  2. Input Sanitization: Plugin developers should ensure that all user inputs are properly sanitized and validated to prevent malicious code from being executed.
  3. Least Privilege Principle: Limit user permissions to the minimum required for their role. Contributors should not have capabilities that could pose a security risk.
  4. Security Plugins: Use security plugins that provide additional layers of protection, including real-time threat detection and automated backups.
  5. Regular Audits: Conduct regular security audits and code reviews to identify and fix potential vulnerabilities before they can be exploited.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-4655, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-4655 – Ultimate Blocks – Stored XSS to Admin Account Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *