Compliance Impact

The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via stored cross-site scripting (XSS) in pages. This could potentially lead to unauthorized access or manipulation of user data when those pages are accessed.

Such unauthorized script execution can compromise the confidentiality and integrity of user data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Useful 0 Not Useful 0

Executive Summary

The vulnerability exists in the Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress, specifically in all versions up to and including 3.1.16. It is a Stored Cross-Site Scripting (XSS) issue caused by insufficient output escaping of event titles, descriptions, and locations that are fetched from external iCal feeds in the Events block rendering function.

This flaw allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute whenever any user accesses the injected page.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the execution of malicious scripts on your website by attackers who have Contributor-level access or above. The impact includes the potential compromise of user sessions, theft of sensitive information, defacement of web pages, or redirection to malicious sites.

Since the vulnerability is a Stored Cross-Site Scripting issue, the malicious code is permanently stored on the affected site and executed every time a user views the infected page, increasing the risk and reach of the attack.

Useful 0 Not Useful 0