Alert From WPScan:
During an analysis of the Essential Blocks plugin, we discovered a pretty serious Local File Inclusion vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site.
When successfully exploited, this vulnerability may let attackers include arbitrary files hosted on the server to be parsed and executed as PHP files, which could potentially lead to Remote Code Execution on certain server configurations.
Upon identifying the vulnerability, we promptly alerted the authors of that plugin, who released version 4.4.3 to fix the issue. It is crucial for administrators of sites using this plugin to ensure it is fully updated to safeguard against this vulnerability.
Unauthenticated Local File Inclusion
Fixed Version | 4.4.3 |
CVE-ID | CVE-2023-6623 |
WPVDB ID | 633c28e0-0c9e-4e68-9424- |
CVSSv3.1 | 9.0 |
/** * Get views for front-end display * * @param string $name it will be file name only from the view's folder. * @param array $data * @return void */ public static function views( $name, $data = [] ) { $__file = static::get_views_path( $name ); $helper = static::class; extract( $data ); if ( is_readable( $__file ) ) { include $__file; } }
The plugin’s template system uses the PHP extract() function to populate variables meant to be used in the later included templates. Unfortunately, it did not use the function’s optional EXTR_SKIP flag to prevent it from overwriting already defined variables, such as the one holding the path to the template to include.
Unfortunately, the helper function in question was used with user input on a publicly accessible REST API route.
A proof of concept will be made available on the WPScan entry for this issue on January 4th, 2024.
Timeline
- 2023-12-08 – Details of the vulnerability sent to the Essential Blocks team
- 2023-12-18 – Patch released by the Essential Blocks team
- 2023-12-21- Advisory & Blog Post Released
Credits
Original research: Marc Montpas
Thanks to the rest of the WPScan team for feedback, help, and corrections.