Last week, there were 55 vulnerabilities disclosed in 46 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 15 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WPvivid Backup Plugin <= 0.9.90 – Missing Authorization via start_staging and get_staging_progress
• MultiVendorX <= 4.0.25 – Improper Authorization on REST Routes via save_settings_permission
• PowerPress <= 11.0.10 – Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	16
Patched	39

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	37
High Severity	16
Critical Severity	2

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	18
Cross-Site Request Forgery (CSRF)	7
Missing Authorization	6
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	5
Deserialization of Untrusted Data	5
Information Exposure	4
Authorization Bypass Through User-Controlled Key	3
Server-Side Request Forgery (SSRF)	2
Improper Control of Generation of Code (‘Code Injection’)	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Incorrect Privilege Assignment	1
Improper Authorization	1
Unverified Password Change	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Lana Codes (Wordfence Vulnerability Researcher)	20
foobar7	5
Marco Wotschka (Wordfence Vulnerability Researcher)	5
Yan&Co ApS	2
Vladislav Pokrovsky	2
Chloe Chamberland (Wordfence Vulnerability Researcher)	1
Nguyen Anh Tien	1
Do Xuan Trung	1
osama-hamad	1
Rafie Muhammad	1
Dmitrii Ignatyev	1
Alex Thomas (Wordfence Vulnerability Researcher)	1
teo23mal	1
David Anderson	1
Pablo Sanchez	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
10Web Map Builder for Google Maps	wd-google-maps
Allow PHP in Posts and Pages	allow-php-in-posts-and-pages
Awesome Weather Widget	awesome-weather
BAN Users	ban-users
Booking Calendar	booking
Booking calendar, Appointment Booking System	booking-calendar
Booster for WooCommerce	woocommerce-jetpack
Checkout Field Editor	woocommerce-checkout-field-editor
Comments – wpDiscuz	wpdiscuz
Crayon Syntax Highlighter	crayon-syntax-highlighter
DoLogin Security	dologin
Dropbox Folder Share	dropbox-folder-share
Enable Media Replace	enable-media-replace
Essential Addons for Elementor	essential-addons-for-elementor-lite
Essential Blocks Pro	essential-blocks-pro
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates	essential-blocks
Feeds for YouTube (YouTube video, channel, and gallery plugin)	feeds-for-youtube
File Manager Pro – Filester	filester
Google Maps Plugin by Intergeo	intergeo-maps
Horizontal scrolling announcement	horizontal-scrolling-announcement
JQuery Accordion Menu Widget	jquery-vertical-accordion-menu
Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation	zero-bs-crm
Leyka	leyka
Login with phone number	login-with-phone-number
MapPress Maps for WordPress	mappress-google-maps-for-wordpress
Migration, Backup, Staging – WPvivid	wpvivid-backuprestore
MultiVendorX – MultiVendor Marketplace Solution For WooCommerce	dc-woocommerce-multi-vendor
Page Builder: Pagelayer – Drag and Drop website builder	pagelayer
Photospace Responsive Gallery	photospace-responsive
PowerPress Podcasting plugin by Blubrry	powerpress
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress	quiz-master-next
Read More & Accordion	expand-maker
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF	shortpixel-image-optimiser
Simplr Registration Form Plus+	simplr-registration-form
Slimstat Analytics	wp-slimstat
Testimonial Slider Shortcode	testimonial-slider-shortcode
WP Customer Reviews	wp-customer-reviews
WP User Control	wp-user-control
WS Facebook Like Box Widget	ws-facebook-likebox
Welcart e-Commerce	usc-e-shop
WooCommerce	woocommerce
WooCommerce Beta Tester	woocommerce-beta-tester
WooCommerce CVR Payment Gateway	woocommerce-cvr-payment-gateway
WooCommerce EAN Payment Gateway	woocommerce-ean-payment-gateway
WooCommerce Subscription	woocommerce-subscriptions
WordPress File Upload	wp-file-upload
woocommerce-checkout-field-editor	woocommerce-checkout-field-editor

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Allow PHP in Posts and Pages <= 3.0.4 – Authenticated (Subscriber+) Remote Code Execution via Shortcode

---

Dropbox Folder Share <= 1.9.7 – Unauthenticated Local File Inclusion

---

Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Blind SQL Injection via Shortcode

---

Welcart e-Commerce <= 2.8.21 – Authenticated(level_5+) SQL Injection via get_logs

---

Simplr Registration Form Plus+ <= 2.4.5 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change

---

Login with phone number <= 1.4.8 – Cross-Site Request Forgery to User Password Change

---

Essential Addons for Elementor <= 5.8.8 – Authenticated (Contributor+) Privilege Escalation

---

BAN Users <= 1.5.3 – Missing Authorization to Authenticated (Subscriber+) Settings Update & Privilege Escalation

---

Horizontal scrolling announcement <= 9.2 – Authenticated (Subscriber+) SQL Injection via Shortcode

---

File Manager Pro – Filester – <= 1.7.6 – Cross-Site Request Forgery to Arbitrary File Rename

---

MultiVendorX <= 4.0.25 – Improper Authorization on REST Routes via ‘save_settings_permission’

---

WPvivid Backup Plugin <= 0.9.90 – Missing Authorization via ‘start_staging’ and ‘get_staging_progress’

---

Essential Blocks <= 4.2.0 – Unauthenticated PHP Object Injection via products

---

Essential Blocks <= 4.2.0 – Unauthenticated PHP Object Injection via queries

---

Read More & Accordion <= 3.2.2 – Authenticated (Administrator+) PHP Object Injection

---

Booking calendar, Appointment Booking System <= 3.2.8 – Multiple Authenticated(Editor+) SQL Injection

---

Dropbox Folder Share <= 1.9.7 – Unauthenticated Server-Side Request Forgery via ‘link’

---

WooCommerce Beta Tester < 2.2.4 – Authenticated (Administrator+) SQL Injection

---

Enable Media Replace <= 4.1.2 – Authenticated(Editor+) PHP Object Injection

---

ShortPixel Image Optimizer <= 5.4.1 – Authenticated(Editor+) PHP Object Injection

---

Booking Calendar <= 9.7.3 – Unauthenticated Stored Cross-Site Scripting

---

Testimonial Slider Shortcode <= 1.1.8 – Authenticated (Contributor+) Cross-Site Scripting Vulnerability via Shortcode

---

Feeds for YouTube <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Awesome Weather Widget <= 3.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Crayon Syntax Highlighter <= 2.8.4 – Authenticated (Contributor+) Server Side Request Forgery

---

WS Facebook Like Box Widget <= 5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Booster for WooCommerce <= 7.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

PowerPress <= 11.0.10 – Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL

---

JQuery Accordion Menu Widget <= 3.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

MapPress Maps for WordPress <= 2.88.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Google Maps Plugin by Intergeo <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Horizontal scrolling announcement <= 9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Jetpack CRM <= 5.5.0 – Authenticated (Client+) Stored Cross-Site Scripting

---

PageLayer <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

WooCommerce <= 7.8.2 – Sensitive Information Exposure

---

wpDiscuz <= 7.6.3 – Insecure Direct Object Reference to Post Rating Increase/Decrease

---

wpDiscuz <= 7.6.3 – Insecure Direct Object Reference to Comment Rating Increase/Decrease

---

Leyka <= 3.30.3 – Authenticated (Subscriber+) Sensitive Information Exposure

---

WP User Control <= 1.5.3 – Insecure Password Reset Mechanism

---

WooCommerce <= 7.0.0 – Authenticated(Shop Manager+) Sensitive Information Exposure

---

WordPress File Upload <= 4.23.2 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

Jetpack CRM <= 5.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Photospace Responsive <= 2.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Migration, Backup, Staging – WPvivid <= 0.9.90 – Authenticated(Administrator+) Stored Cross-Site Scripting

---

WP Customer Reviews <= 3.6.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WooCommerce Subscription < 4.6.0 – Cross-Site Request Forgery

---

DoLogin Security <= 3.7 – Missing Authorization on Dashboard Widget

---

WooCommerce EAN Payment Gateway < 6.1.0 – Missing Authorization to Authenticated (Contributor+) EAN Update

---

Quiz And Survey Master <= 8.1.15 – Cross-Site Request Forgery via ‘display_results’

---

10Web Map Builder for Google Maps <= 1.0.73 – Cross-Site Request Forgery to Notice Dismissal

---

10Web Map Builder for Google Maps <= 1.0.73 – Missing Authorization to Notice Dismissal

---

Checkout Field Editor (Premium) < 1.7.5 – Cross-Site Request Forgery

---

Booster for WooCommerce <= 7.1.0 – Authenticated (Subscriber+) Information Disclosure via Shortcode

---

Checkout Field Editor <= 1.7.4 – Cross-Site Request Forgery to Checkout Fields Update

---

WooCommerce CVR Payment Gateway < 6.1.0 – Missing Authorization to Authenticated (Contributor+) CVR Update

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023) appeared first on Wordfence.

On August 18, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two PHP Object Injection vulnerabilities in the Essential Blocks plugin for WordPress, a plugin with over 100,000 installations.

We received a response three days later and sent over our full disclosure on August 23, 2023. A patched version of the free plugin, 4.2.1, was released on August 29, 2023 with version 1.1.1 for the Pro version released the same day.

We issued a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on August 18, 2023. Sites still running the free version of Wordfence received the same protection on September 17, 2023. We recommend that all Wordfence users update to the patched version, 4.2.1 (1.1.1 for Pro), as soon as possible as this will entirely eliminate the vulnerabilities.

Vulnerability Summary from Wordfence Intelligence

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Technical Analysis

The Essential Blocks plugin provides more than 40 blocks to its users including sliders, buttons, pricing tables, maps and others. An API is provided to query for posts and products via the queries and products API endpoints which do not require authentication.

Unfortunately, query data and attributes were passed in PHP’s serialized string format and were subsequently unserialized by the functions get_posts (for the queries endpoint) and get_products (for the products endpoint) in /includes/API/PostBlock.php and /includes/API/Product.php, respectively.

get_posts function

get_products function

Attackers could utilize this to inject a PHP object with properties of their choosing. The presence of a PHP POP chain can make it possible for an attacker to execute arbitrary code, create and delete files and potentially ultimately take over a vulnerable site. Fortunately, no POP chain is present in the Essential Blocks plugin, which means an attacker would require another plugin or theme installed on the vulnerable site with a POP chain present in order to fully exploit these vulnerabilities. It is worth mentioning that POP chains can sometimes be found in popular plugins and libraries which include destructor methods that perform cleanup tasks when an Object is destroyed or deserialized.

Despite the lack of a POP chain in the Essential Blocks plugin itself, and the complexity involved in exploiting these types of vulnerabilities, a successful attack often leads to severe consequences. We explain how PHP Object Injections work in this blog post, if you are interested to find out more about their inner workings.

Timeline

August 17, 2023 – The Wordfence Threat Intelligence team discovers two PHP Object Injection vulnerabilities in the Essential Blocks plugin.
August 18, 2023 – We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers and initiate the disclosure process.
August 23, 2023 – We send the full disclosure to the plugin developer.
August 29, 2023 – A patched version of the Essential Blocks plugin, 4.2.1 (1.1.1 for Pro), is released.
September 17, 2023 – The firewall rule becomes available to free Wordfence users.

Conclusion

In this blog post, we covered two PHP Object Injection vulnerabilities in the Essential Blocks plugin affecting versions 4.2.0 and earlier in the Free version of the plugin and versions 1.1.0 and earlier in the Pro version. These vulnerabilities allow unauthenticated threat actors to query the plugin’s API using serialized malicious payloads that are subsequently deserialized. They have been fully addressed in version 4.2.1 of the free version of the plugin and 1.1.1 of the Pro version of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Essential Blocks.

All Wordfence running Wordfence Premium, Wordfence Care, and Wordfence Response, have been protected against these vulnerabilities as of August 18, 2023. Users still using the free version of Wordfence received protection on September 17, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

The post Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks appeared first on Wordfence.