cbcvebase.
CVE-2023-6623
published 2024-01-15

CVE-2023-6623: The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
50.67%
98.8th percentile
The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpdeveloperessential_blocks< 4.4.34.4.3

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?rest_route=%2Fessential-blocks%2Fv1%2Fproducts&is_frontend=true&attributes={"__file":"/etc%2fpasswd"}
path/wp-content/plugins/essential-blocks/
path/wp-content/plugins/essential-blocks/readme.txt
  • Detect exploitation attempts by monitoring GET requests to the REST API endpoint /essential-blocks/v1/products containing the `__file` parameter, which is used to overwrite local variables for LFI.
  • Successful exploitation is confirmed when the HTTP 200 response body contains the pattern `root:.*:0:0:` (i.e., /etc/passwd content), combined with the plugin readme.txt being accessible.
  • The vulnerability is unauthenticated (PR:N) and exploitable over the network (AV:N) with no user interaction (UI:N), so no session/auth tokens are required in the attack request.
  • Use the Shodan/FOFA fingerprint query to identify exposed WordPress instances running the vulnerable plugin.
  • The attack vector abuses the `is_frontend=true` query parameter alongside the `attributes` JSON body containing `__file` to trigger local variable overwrite leading to LFI via the REST API.
  • ·The vulnerability only affects Essential Blocks plugin versions prior to 4.4.3; patched installations (4.4.3+) are not vulnerable.
  • ·The Nuclei template requires two sequential requests: the first to the REST API endpoint (LFI trigger) and the second to the readme.txt (plugin presence confirmation); both must return HTTP 200 for a positive match.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.