WordPress Plugin Vulnerabilities

Essential Blocks < 4.0.7 - Multiple Functions Missing Authorization Checks

Description

The plugin does not apply authorization checks on multiple sensitive functions in the plugin, making them reachable to users with low privileges like Subscribers. Additionally, its nonce validation logic can be bypassed. Affected functions include: save, get, templates, template_count,

Affects Plugins

Plugin icon
essential-blocks
Fixed in 4.0.7

References

CVE
CVE-2023-2083
CVE
CVE-2023-2084
CVE
CVE-2023-2085
CVE
CVE-2023-2086
CVE
CVE-2023-2087

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
f19789d1-edb2-411a-b0b9-256e977b5e8e

Timeline

Publicly Published
2023-04-18 (about 3 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2025-03-04
Title
JNews - WordPress Newspaper Magazine Blog AMP Theme < 11.6.7 - Unauthorized User Registration
Published
2026-01-28
Title
Sendy < 3.4.3 - Missing Authorization
Published
2025-01-16
Title
Delete All Posts <= 1.1.1 - Missing Authorization
Published
2023-09-01
Title
Surfer < 1.3.3.379 - Missing Authorization
Published
2025-12-15
Title
Animation Addons for Elementor < 2.4.6 - Authenticated (Contributor+) Arbitrary Content Deletion