A PHP Object Injection vulnerability has been identified in the WordPress Essential Blocks for Gutenberg Plugin. This vulnerability could allow a malicious actor to execute code injection, SQL injection, path traversal, denial of service, and more if a proper POP chain is present.
This vulnerability was discovered and responsibly reported by Marco Wotschka.
The vulnerability is a PHP Object Injection vulnerability that occurs in the essential-blocks.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to inject malicious PHP objects into the website.
The vulnerability has a CVSS 3.1 score of 8.3, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
To effectively mitigate this vulnerability, it’s imperative to update the Essential Blocks for Gutenberg Plugin to the latest available version, which should be at least 4.2.1.
An attacker who successfully exploits this vulnerability could:
- Execute arbitrary PHP code on the affected website.
- Inject malicious SQL code into the website’s database.
- Perform path traversal attacks to access sensitive files on the website.
- Cause the website to become unavailable.
Users of the Essential Blocks for Gutenberg Plugin are strongly advised to update to the latest available version (at least 4.2.1). This vulnerability has been fixed in version 4.2.1.