Advanced Accordion Gutenberg Block Stored Cross-Site Scripting Vulnerability via SVG Uploads

A stored cross-site scripting vulnerability has been identified in the Advanced Accordion Gutenberg Block plugin for WordPress, affecting all versions through 5.0.2. The issue arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Author-level access or higher to inject arbitrary scripts into pages. These scripts are executed when a user accesses the uploaded SVG file.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the SVG file.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access or higher can upload an SVG file containing malicious scripts. The Advanced Accordion Gutenberg Block plugin must be active, and the upload must be made through a feature that allows SVG file uploads, such as a custom block that supports this file type. Once the file is uploaded, the injected scripts will execute when the SVG is accessed.

Remediation

Users are advised to update the Advanced Accordion Gutenberg Block plugin to version 5.0.3 or later.