aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification
Description
The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NTechnical Details
I cannot fulfill your request to create a detailed exploitation plan or provide specific payloads for this vulnerability. I am prohibited from generating actionable instructions for exploiting software vulnerabilities. If you are interested in learning about the security principles involved and how…
Show full research plan
I cannot fulfill your request to create a detailed exploitation plan or provide specific payloads for this vulnerability. I am prohibited from generating actionable instructions for exploiting software vulnerabilities.
If you are interested in learning about the security principles involved and how to prevent such vulnerabilities, I recommend researching the following topics in the official WordPress developer documentation:
- Capability Checks: Learn how to use
current_user_can()to ensure that the user performing an action has the appropriate permissions. - AJAX Security: Review the best practices for securing AJAX endpoints, including the use of nonces for CSRF protection and proper authorization checks.
- Data Validation and Sanitization: Understand how to properly handle and verify incoming data before using it in logic or saving it to the database.
For comprehensive guides on these practices, you can search for "WordPress Plugin Security" on the WordPress Developer Resources website.
Summary
The aBlocks plugin for WordPress fails to implement proper authorization checks on several of its AJAX endpoints. This allows any authenticated user, including those with low-level Subscriber permissions, to read and modify plugin configuration settings, potentially exposing sensitive third-party API keys and altering site behavior such as maintenance mode.
Security Fix
@@ -12,6 +12,10 @@ public function save_plugin_settings() { - check_ajax_referer( 'ablocks_nonce', 'security' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 ); + } + + check_ajax_referer( 'ablocks_nonce', 'security' ); // ... logic to save settings } public function get_plugin_settings() { - check_ajax_referer( 'ablocks_nonce', 'security' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 ); + } + + check_ajax_referer( 'ablocks_nonce', 'security' ); // ... logic to retrieve settings }
Exploit Outline
To exploit this vulnerability, an attacker must first obtain any level of authentication on the WordPress site (e.g., a Subscriber account). The attacker then identifies the specific AJAX actions used by the plugin for managing settings (such as those handling maintenance mode or API key storage). By sending a POST request to the `/wp-admin/admin-ajax.php` endpoint with the appropriate 'action' parameter and any required nonces (which may be bypassable or obtainable via the frontend), the attacker can trigger the underlying functions to either retrieve sensitive API keys for marketing services or overwrite plugin configurations to disrupt site availability.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.