A PHP Object Injection vulnerability has been identified in the WordPress Essential Blocks Pro Plugin. This vulnerability could allow a malicious actor to execute code injection, SQL injection, path traversal, denial of service, and more if a proper POP chain is present.

This vulnerability was discovered and responsibly reported by Marco Wotschka.

The vulnerability is a PHP Object Injection vulnerability that occurs in the essential-blocks.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to inject malicious PHP objects into the website.


The vulnerability has a CVSS 3.1 score of 7.1, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Essential Blocks Pro Plugin prior to 1.1.1.


An attacker who successfully exploits this vulnerability could:

  • Execute arbitrary PHP code on the affected website.
  • Inject malicious SQL code into the website’s database.
  • Perform path traversal attacks to access sensitive files on the website.
  • Cause the website to become unavailable.


Given the critical nature of this vulnerability, users can take the following action for the website’s defenses:

  • Update the Plugin: Start by updating the Essential Blocks Pro Plugin to the latest available version, which is at least 1.1.1. This update contains essential security fixes to eradicate the PHP Object Injection vulnerability.
  • Security Best Practices: Implement robust security practices on the website, including strong authentication mechanisms, access controls, and regular security audits.

This vulnerability is a serious threat to the security of WordPress websites that use the Essential Blocks Pro Plugin. Users are strongly advised to update to the latest available version as soon as possible.