CVE-2024-4863
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via titleFont ParameterThe Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘titleFont’ parameter in all versions up to, and including, 3.2.38 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 13,967 live websites that are affected by CVE-2024-4863.
Affected Software
| Product |  Kadence Blocks |
| Category | Wordpress Plugins |
| Vulnerable Domains | 13,967 live websites (21.62% of Kadence Blocks install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 263 versions ( 87.96% of all versions) |
Details
- Published - Jun 14, 2024
- Updated - Aug 1, 2024
Credits
- Matthew Rollings (finder)
CVE References
CVE-2024-4863 usage by Country
 United States | 5,448 websites |
 Germany | 1,592 websites |
 France | 884 websites |
 GB | 587 websites |
 Poland | 581 websites |
 Russia | 378 websites |
 Japan | 371 websites |
 Netherlands | 344 websites |
 Spain | 288 websites |
 Cyprus | 245 websites |
CVE-2024-4863 usage by TLD
| .com | 6,450 websites |
| .de | 819 websites |
| .org | 719 websites |
| .pl | 448 websites |
| .fr | 424 websites |
| .net | 421 websites |
| .co.uk | 383 websites |
| .ru | 350 websites |
| .nl | 341 websites |
| .com.au | 223 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-4863
Top websites that are affected by CVE-2024-4863. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.com | United States | *,*** | |
| *******.cz |  Czech Republic | *,*** | |
| *********.com | United States | **,*** | |
| *************.com | United States | **,*** | |
| *******************.com | United States | **,*** | |
| ************.com | United States | **,*** | |
| ************.com | United States | **,*** | |
| ******.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| ******.org |  Bulgaria | **,*** |
FAQ
A total of 13,967 websites have been identified as vulnerable to CVE-2024-4863, discovered through global website indexing conducted by WebTechSurvey.
Kadence Blocks is susceptible to CVE-2024-4863 vulnerability.
Kadence Blocks versions before, and including, 3.2.38 are vulnerable to CVE-2024-4863.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2e0cde65-f75c-4602-bffe-97b391a428b4?source=cve
- https://plugins.trac.wordpress.org/browser/kadence-blocks/trunk/includes/blocks/class-kadence-blocks-testimonial-block.php#L276
- https://plugins.trac.wordpress.org/changeset/3091170/kadence-blocks/trunk/includes/blocks/class-kadence-blocks-testimonial-block.php