We provide premium cPanel hosting!

 
 
 

FixIt Alert: Essential Blocks”

Home > FixIt Alert: Essential Blocks”
 
Posted by on December 21, 2023 in | Comments

Alert From WPScan:

During an analysis of the Essential Blocks plugin, we discovered a pretty serious Local File Inclusion vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site.

When successfully exploited, this vulnerability may let attackers include arbitrary files hosted on the server to be parsed and executed as PHP files, which could potentially lead to Remote Code Execution on certain server configurations.

Upon identifying the vulnerability, we promptly alerted the authors of that plugin, who released version 4.4.3 to fix the issue. It is crucial for administrators of sites using this plugin to ensure it is fully updated to safeguard against this vulnerability.

Unauthenticated Local File Inclusion

Fixed Version 4.4.3
CVE-ID CVE-2023-6623
WPVDB ID 633c28e0-0c9e-4e68-9424-55c32789b41f
CVSSv3.1 9.0 
/**
         * Get views for front-end display
         *
         * @param string $name  it will be file name only from the view's folder.
         * @param array  $data
         * @return void
         */
        public static function views( $name, $data = [] ) {
            $__file = static::get_views_path( $name );
            $helper = static::class;

            extract( $data );
            if ( is_readable( $__file ) ) {
                include $__file;
            }
        }

The plugin’s template system uses the PHP extract() function to populate variables meant to be used in the later included templates. Unfortunately, it did not use the function’s optional EXTR_SKIP flag to prevent it from overwriting already defined variables, such as the one holding the path to the template to include.

Unfortunately, the helper function in question was used with user input on a publicly accessible REST API route.

A proof of concept will be made available on the WPScan entry for this issue on January 4th, 2024.

Timeline

  • 2023-12-08 – Details of the vulnerability sent to the Essential Blocks team
  • 2023-12-18 – Patch released by the Essential Blocks team
  • 2023-12-21- Advisory & Blog Post Released

Credits

Original research: Marc Montpas

Thanks to the rest of the WPScan team for feedback, help, and corrections.

 
LazyLizard Internet, Inc. © 1995-2023 - All rights reserved
 
paypal credit card rapidssl