Recipe Card Blocks Lite Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Recipe Card Blocks Lite plugin for WordPress, affecting all versions through 3.4.13. The issue arises in the recipe block's 'summary' and 'notes' attributes, where the 'WPZOOM_Helpers::deserialize_block_attributes' method improperly handles unicode-encoded sequences. This flaw allows authenticated attackers with Author-level access or higher to inject arbitrary scripts into published posts, which are executed when a user views the post or the print version of the recipe.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the post.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access or higher can create a recipe block and inject script tags into the 'summary' or 'notes' attributes. Once the recipe is published, the injected script will execute when the post is viewed or printed.

Remediation

Users are advised to update the Recipe Card Blocks Lite plugin to version 3.4.14 or later.