CVE-2023-6486 — Spectra – WordPress Gutenberg Blocks <= 2.10.3 Contributor+ Stored Cross-Site Scritpting via Slider Callback

The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS metabox in all versions up to and including 2.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The plugin provides a Custom CSS option via Spectra Page Settings when creating a new post. However CSS input is not properly sanitized which can lead to XSS vulnerabilities.

Proof of Concepts

  1. Create a new post via /wp-admin/post-new.php
  2. Click the Three Dots at the top right of your screen then select Spectra Page Settings.
  3. Enter the payload </style><script>alert('Spectra XSS')</script><style> in the Custom CSS column
  4. Fill in the post title and body content with whatever value you want

The XSS payload will be triggered when anyone (including the admin) opens the post entry created.

Impact

This makes it possible for authenticated attackers, with Contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.