WordPress Plugin Vulnerabilities

Essential Blocks < 4.4.3 - Unauthenticated Local File Inclusion

Description

The plugin does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.

Proof of Concept

Affects Plugins

Plugin icon
essential-blocks
Fixed in 4.4.3

References

CVE
CVE-2023-6623
URL
https://wpscan.com/blog/file-inclusion-vulnerability-fixed-in-essential-blocks-4-4-3/

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.0 (critical)

Miscellaneous

Original Researcher
Marc Montpas
Submitter
Marc Montpas
Submitter website
https://wpscan.com
Submitter twitter
marcS0H
Verified
Yes
WPVDB ID
633c28e0-0c9e-4e68-9424-55c32789b41f

Timeline

Publicly Published
2023-12-21 (about 2 years ago)
Added
2023-12-21 (about 2 years ago)
Last Updated
2023-12-21 (about 1 year ago)

Other

Published
Title
Published
2025-10-14
Title
XStore | Multipurpose WooCommerce Theme < 9.6 - Authenticated (Subscriber+) Local File Inclusion
Published
2023-11-27
Title
so-widgets-bundle < 1.51.0 - Admin+ Local File Inclusion
Published
2025-07-01
Title
Home Villas | Real Estate WordPress Theme <= 2.8 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2016-09-07
Title
WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
Published
2025-06-19
Title
HUSKY < 1.3.7.1 - Contributor+ Local File Inclusion