Security breach and vulnerability in all versions

same here.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gutenberg/gutenberg-1373-authenticated-contributor-stored-cross-site-scripting

I am getting notifications from both my Hosting Provider and Wordfence telling me the same.

Details from Patchstack:

GenialHacker (Jitendra Patro) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Gutenberg Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

I have deactivated and deleted the plugin until I hear otherwise from the developers here… ??

Hey @basz85! I see there is an open issue for this on Gutenberg’s Github.

IMHO, It doesn’t look like this is a serious issue, since it will only happen if you manually add a malicious SVG image via a third-party URL to the site.

Hi @properlypurple,

Thanks, I saw it too and it bugged me a bit with ′no risk′-line – there is always a risk. With an severity of 5.x and XSS vulnerability is risk-issue to me.

Hey @basz85! Please note that since Gutenberg code is regularly merged back into WP core, this behaviour would technically also be present in WP core as well. The only way to avoid it would be to not load svg files from unknown sources in an image block.

If you have any inputs about the technical aspects, please leave a comment on the Github issue also linked in my previous message.

@properlypurple The issues seems to be that SVG code can be inputted in a Link or Custom HTML Block.

• This reply was modified 11 months, 3 weeks ago by Flexer.