Vulnerabilities > CVE-2023-2083 - Unspecified vulnerability in Wpdeveloper Essential Blocks
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the save function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to save plugin settings. While a nonce check is present, it is only executed when a nonce is provided. Not providing a nonce results in the nonce verification to be skipped. There is no capability check.
Vulnerable Configurations
References
- https://plugins.trac.wordpress.org/browser/essential-blocks/tags/4.0.6/includes/Admin/Admin.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2900595%40essential-blocks%2Ftrunk&old=2900029%40essential-blocks%2Ftrunk&sfp_email=&sfph_mail=#file2
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bf0933-1c97-4374-b323-c55b91fe4d27?source=cve
- https://plugins.trac.wordpress.org/browser/essential-blocks/tags/4.0.6/includes/Admin/Admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bf0933-1c97-4374-b323-c55b91fe4d27?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2900595%40essential-blocks%2Ftrunk&old=2900029%40essential-blocks%2Ftrunk&sfp_email=&sfph_mail=#file2