Authored by Marco Wotschka | Site wordfence.com

WordPress Essential Blocks plugin versions 4.2.0 and below and Essential Blocks Pro versions 1.1.0 and below suffer from multiple PHP object injection vulnerabilities.

advisories | CVE-2023-4386, CVE-2023-4402

Vulnerability Summary from Wordfence Intelligence

Description: Insecure Deserialization/PHP Object Injection via queries

Affected Plugin: Essential Blocks, Essential Blocks Pro

Plugin slug: essential-blocks, essential-blocks-pro

Vendor: WPDeveloper

Affected versions: <= 4.2.0 (Free) and <= 1.1.0 (Pro)

CVE ID: CVE-2023-4386

CVSS score: 8.1 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher: Marco Wotschka

Fully Patched Version: 4.2.1 & 1.1.1

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Description: Insecure Deserialization/PHP Object Injection via products

Affected Plugin: Essential Blocks, Essential Blocks Pro

Plugin slug: essential-blocks

Vendor: WPDeveloper

Affected versions: <= 4.2.0 (Free) and <= 1.1.0 (Pro)

CVE ID: CVE-2023-4402

CVSS score: 8.1 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher: Marco Wotschka

Fully Patched Version: 4.2.1 & 1.1.1

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Technical Analysis

The Essential Blocks plugin provides more than 40 blocks to its users including sliders, buttons, pricing tables, maps and others. An API is provided to query for posts and products via the queries and products API endpoints which do not require authentication.

Unfortunately, query data and attributes were passed in PHP’s serialized string format and were subsequently unserialized by the functions get_posts (for the queries endpoint) and get_products (for the products endpoint) in /includes/API/PostBlock.php and /includes/API/Product.php, respectively.

php-objection-injection-posts

get_posts function

php-objection-injection-products

get_products function

Attackers could utilize this to inject a PHP object with properties of their choosing. The presence of a PHP POP chain can make it possible for an attacker to execute arbitrary code, create and delete files and potentially ultimately take over a vulnerable site. Fortunately, no POP chain is present in the Essential Blocks plugin, which means an attacker would require another plugin or theme installed on the vulnerable site with a POP chain present in order to fully exploit these vulnerabilities. It is worth mentioning that POP chains can sometimes be found in popular plugins and libraries which include destructor methods that perform cleanup tasks when an Object is destroyed or deserialized.

Despite the lack of a POP chain in the Essential Blocks plugin itself, and the complexity involved in exploiting these types of vulnerabilities, a successful attack often leads to severe consequences. We explain how PHP Object Injections work in this blog post, if you are interested to find out more about their inner workings.

Timeline

August 17, 2023 – The Wordfence Threat Intelligence team discovers two PHP Object Injection vulnerabilities in the Essential Blocks plugin.

August 18, 2023 – We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers and initiate the disclosure process.

August 23, 2023 – We send the full disclosure to the plugin developer.

August 29, 2023 – A patched version of the Essential Blocks plugin, 4.2.1 (1.1.1 for Pro), is released.

September 17, 2023 – The firewall rule becomes available to free Wordfence users.

Conclusion

In this blog post, we covered two PHP Object Injection vulnerabilities in the Essential Blocks plugin affecting versions 4.2.0 and earlier in the Free version of the plugin and versions 1.1.0 and earlier in the Pro version. These vulnerabilities allow unauthenticated threat actors to query the plugin’s API using serialized malicious payloads that are subsequently deserialized. They have been fully addressed in version 4.2.1 of the free version of the plugin and 1.1.1 of the Pro version of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Essential Blocks.

All Wordfence running Wordfence Premium, Wordfence Care, and Wordfence Response, have been protected against these vulnerabilities as of August 18, 2023. Users still using the free version of Wordfence received protection on September 17, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.