Custom Block Builder WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Custom Block Builder WordPress plugin, affecting versions prior to 4.3.0. The issue arises because the plugin does not consistently validate the unfiltered_html capability for all pathways that write to its block template code fields. This oversight allows administrators on multisite installations, or single-site installs with DISALLOW_UNFILTERED_HTML defined, to inject arbitrary JavaScript. The injected script executes for any visitor on pages that include the affected block.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an administrator account on a multisite WordPress installation (or a single-site installation with DISALLOW_UNFILTERED_HTML enabled) is required. The vulnerability can be exploited by creating a Lazy Blocks custom block and injecting a cross-site scripting payload into the 'lazyblocks_code_frontend_html' post meta. This can be done via the XML-RPC interface, which bypasses the plugin's unfiltered_html check. Once the block is created, it can be embedded in a page, triggering the execution of the injected script.

Remediation

Users are advised to update the Custom Block Builder WordPress plugin to version 4.3.0 or later.