A PHP Object Injection vulnerability has been identified in the WordPress Essential Blocks for Gutenberg Plugin. This vulnerability could allow a malicious actor to execute code injection, SQL injection, path traversal, denial of service, and more if a proper POP chain is present.
This vulnerability was discovered and responsibly reported by Marco Wotschka.
The vulnerability is a PHP Object Injection vulnerability that occurs in the essential-blocks.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to inject malicious PHP objects into the website.
Severity:
The vulnerability has a CVSS 3.1 score of 8.3, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
Affected Versions:
To effectively mitigate this vulnerability, it’s imperative to update the Essential Blocks for Gutenberg Plugin to the latest available version, which should be at least 4.2.1.
Impact:
An attacker who successfully exploits this vulnerability could:
- Execute arbitrary PHP code on the affected website.
- Inject malicious SQL code into the website’s database.
- Perform path traversal attacks to access sensitive files on the website.
- Cause the website to become unavailable.
Recommendation:
Users of the Essential Blocks for Gutenberg Plugin are strongly advised to update to the latest available version (at least 4.2.1). This vulnerability has been fixed in version 4.2.1.
