Rewterz Threat Advisory – Multiple WordPress Products Vulnerabilities

Severity

High

Analysis Summary

CVE-2023-4402 CVSS: 8.1

Essential Blocks plugin for WordPress and Essential Blocks Pro plugin for WordPress could allow a remote attacker to execute arbitrary code on the system, caused by the unsafe deserialization of data. By sending specially crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-4386 CVSS: 8.1

Essential Blocks plugin for WordPress and Essential Blocks Pro plugin for WordPress could allow a remote attacker to execute arbitrary code on the system, caused by the unsafe deserialization of data. By sending specially crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-4774 CVSS: 6.4

WP-Matomo Integration (WP-Piwik) plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the shortcode. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Impact

• Code Execution
• Cross-Site Scripting

Indicators Of Compromise

CVE

• CVE-2023-4402
• CVE-2023-4386
• CVE-2023-4774

Affected Vendors

WordPress

Affected Products

• WPDeveloper Essential Blocks plugin for WordPress 4.2.0
• WPDeveloper Essential Blocks Pro plugin for WordPress 1.1.0
• WordPress WP-Matomo Integration (WP-Piwik) plugin for WordPress 1.0.28
• WordPress WP-Matomo Integration (WP-Piwik) plugin for WordPress 1.0.27

Remediation

Upgrade to the latest version of Essential Blocks plugin for WordPress and Essential Blocks plugin for WordPress, available from the WordPress Plugin Directory.

WordPress Plugin Directory