WordPress Plugin Vulnerabilities

Essential Blocks < 4.2.1 - Unauthenticated Object Injection

Description

The plugin doesn't prevent unauthenticated attackers from deserializing user input, which could allow them to run code on the server if they have a POP chain allowing them to do so.

Affects Plugins

Plugin icon
essential-blocks
Fixed in 4.2.1
Plugin icon
essential-blocks-pro
Fixed in 1.1.1

References

CVE
CVE-2023-4386
CVE
CVE-2023-4402
URL
https://www.wordfence.com/blog/2023/09/two-php-object-injection-vulnerabilities-fixed-in-essential-blocks/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
8ad3dc73-2c68-4b94-9378-372a39382493

Timeline

Publicly Published
2023-09-19 (about 2 years ago)
Added
2023-09-28 (about 2 years ago)
Last Updated
2023-09-28 (about 2 years ago)

Other

Published
Title
Published
2023-04-17
Title
Customizer Export/Import < 0.9.6 - Admin+ PHP Object Injection
Published
2024-03-13
Title
PropertyHive < 2.0.10 - Authenticated (Subscriber+) PHP Object Injection
Published
2025-03-27
Title
Traveler < 3.2.1 - Unauthenticated PHP Object Injection
Published
2026-03-23
Title
Kamperen < 1.3 - Unauthenticated PHP Object Injection
Published
2026-04-20
Title
Elementra - 100% Elementor WordPress Theme < 1.1.0 - Unauthenticated PHP Object Injection