WordPress Plugin Vulnerabilities
Essential Blocks for Gutenberg < 4.2.1 - Missing Authorization via AJAX actions
Description
The Essential Blocks for Gutenberg plugin for WordPress is vulnerable to unauthorized access to AJAX actions due to a missing capability check on several functions in versions up to, and including, 4.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to invoke those functions. A nonce check was performed in all of them. However, the nonce was leaked on the profile page. CVE-2023-51360 appears to be a duplicate of this issue.
Affects Plugins
References
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
Timeline
Publicly Published
2023-11-13 (about 6 months ago)
Added
2023-11-24 (about 5 months ago)
Last Updated
2024-01-22 (about 3 months ago)