The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the `sc_styles` parameter. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute on every page where the plugin's style card styles are loaded, including across the entire WordPress admin panel.
The Maxi Blocks WordPress plugin contains a Stored Cross-Site Scripting vulnerability in its REST API endpoint that allows authenticated authors to inject malicious scripts. These scripts execute globally across the website and admin panel due to insufficient input sanitization.
ثغرة Stored XSS في إضافة Maxi Blocks لـ WordPress تؤثر على جميع الإصدارات حتى 2.1.9 عبر نقطة نهاية REST API. تسمح الثغرة للمستخدمين المصرحين على مستوى المؤلف وأعلى بحقن نصوص برمجية ضارة تُنفذ على جميع صفحات الموقع وواجهة الإدارة.
The Maxi Blocks WordPress plugin contains a Stored Cross-Site Scripting vulnerability in its REST API endpoint that allows authenticated authors to inject malicious scripts. These scripts execute globally across the website and admin panel due to insufficient input sanitization.
Update Maxi Blocks plugin to version 2.2.0 or later immediately. Restrict Author-level access to trusted users only. Implement Web Application Firewall rules to monitor and block suspicious REST API requests to the style-card endpoint. Review user roles and permissions regularly.
قم بتحديث إضافة Maxi Blocks إلى الإصدار 2.2.0 أو أحدث فوراً. قيد الوصول على مستوى المؤلف للمستخدمين الموثوقين فقط. طبق قواعد جدار حماية تطبيقات الويب لمراقبة وحجب طلبات REST API المريبة. راجع أدوار وأذونات المستخدمين بانتظام.