CVE-2023-6623
published 2024-01-15CVE-2023-6623: The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
50.67%
98.8th percentile
The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpdeveloper | essential_blocks | < 4.4.3 | 4.4.3 |
Detection & IOCsextracted from sources · hover to see the quote
url/index.php?rest_route=%2Fessential-blocks%2Fv1%2Fproducts&is_frontend=true&attributes={"__file":"/etc%2fpasswd"}↗
- →Detect exploitation attempts by monitoring GET requests to the REST API endpoint /essential-blocks/v1/products containing the `__file` parameter, which is used to overwrite local variables for LFI. ↗
- →Successful exploitation is confirmed when the HTTP 200 response body contains the pattern `root:.*:0:0:` (i.e., /etc/passwd content), combined with the plugin readme.txt being accessible. ↗
- →The vulnerability is unauthenticated (PR:N) and exploitable over the network (AV:N) with no user interaction (UI:N), so no session/auth tokens are required in the attack request. ↗
- →Use the Shodan/FOFA fingerprint query to identify exposed WordPress instances running the vulnerable plugin. ↗
- →The attack vector abuses the `is_frontend=true` query parameter alongside the `attributes` JSON body containing `__file` to trigger local variable overwrite leading to LFI via the REST API. ↗
- ·The vulnerability only affects Essential Blocks plugin versions prior to 4.4.3; patched installations (4.4.3+) are not vulnerable. ↗
- ·The Nuclei template requires two sequential requests: the first to the REST API endpoint (LFI trigger) and the second to the readme.txt (plugin presence confirmation); both must return HTTP 200 for a positive match. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-phjg-gj5x-8j96: The Essential Blocks WordPress plugin before 4
ghsa_unreviewed·2024-01-15
CVE-2023-6623 [CRITICAL] CWE-22 GHSA-phjg-gj5x-8j96: The Essential Blocks WordPress plugin before 4
The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.
VulnCheck
wpdeveloper essential_blocks Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 9.8
CVE-2023-6623 [CRITICAL] wpdeveloper essential_blocks Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
wpdeveloper essential_blocks Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.
Affected: wpdeveloper essential_blocks
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://wpscan.com/blog/a-persistent-twist-in-the-current-malware-campaign/; https://app.crowdsec.net/cti/cve-explorer/CVE-2023-6623
No detection rules found.
Nuclei
Essential Blocks < 4.4.3 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2023-6623 [CRITICAL] Essential Blocks < 4.4.3 - Local File Inclusion
Essential Blocks < 4.4.3 - Local File Inclusion
Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site.
Template:
id: CVE-2023-6623
info:
name: Essential Blocks < 4.4.3 - Local File Inclusion
author: iamnoooob,rootxharsh,pdresearch,coldfish
severity: critical
description: |
Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site.
impact: |
An attacker can exploit this vulnerability to access sensitive information, such as configuration files, creden
https://wpscan.com/blog/file-inclusion-vulnerability-fixed-in-essential-blocks-4-4-3/https://wpscan.com/vulnerability/633c28e0-0c9e-4e68-9424-55c32789b41fhttps://wpscan.com/blog/file-inclusion-vulnerability-fixed-in-essential-blocks-4-4-3/https://wpscan.com/vulnerability/633c28e0-0c9e-4e68-9424-55c32789b41f
2024-01-15
Published
Exploited in the wild