Lucene search

PRIOn knowledge basePRION:CVE-2023-4402

HistoryOct 20, 2023 - 7:15 a.m.

Deserialization of untrusted data

2023-10-2007:15:00

PRIOn knowledge base

www.prio-n.com

wordpress

essential blocks

php object injection

unauthenticated attackers

pop chain

arbitrary files

sensitive data

code execution

9.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.5%

JSON

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CPENameOperatorVersion
essential_blockslt4.2.1
essential_blocks_prolt1.1.1

CPE	Name	Operator	Version
	essential_blocks	lt	4.2.1
	essential_blocks_pro	lt	1.1.1

References

plugins.trac.wordpress.org/browser/essential-blocks/trunk/includes/API/Product.php?rev=2950425

www.wordfence.com/threat-intel/vulnerabilities/id/1ede7a25-9bb2-408e-b7fb-e5bd4f594351?source=cve