9.8
CVE-2023-4402
- EPSS 2.87%
- Veröffentlicht 20.10.2023 07:15:15
- Zuletzt bearbeitet 21.11.2024 08:35:04
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginEssential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via products
The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Mögliche Gegenmaßnahme
Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns: Update to version 4.2.1, or a newer patched version
Essential Blocks Pro: Update to version 1.1.1, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns
Version
* - 4.2.0
SystemWordPress Plugin
≫
Produkt
Essential Blocks Pro
Version
* - 1.1.0
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wpdeveloper ≫ Essential Blocks SwPlatformwordpress Version < 4.2.1
Wpdeveloper ≫ Essential Blocks Pro SwPlatformwordpress Version < 1.1.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.87% | 0.858 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security@wordfence.com | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.