bBlocks – Essential Gutenberg Blocks & Patterns Collection < 2.0.30 - Missing Authorization
Description
The bBlocks – Essential Gutenberg Blocks & Patterns Collection plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 2.0.30 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v2.0.30
Source Code
WordPress.org SVN## 1. Vulnerability Summary The **bBlocks – Essential Gutenberg Blocks & Patterns Collection** plugin for WordPress is vulnerable to **Missing Authorization** in versions prior to 2.0.30. The vulnerability exists because certain internal functions—likely those handling plugin settings or block conf…
Show full research plan
1. Vulnerability Summary
The bBlocks – Essential Gutenberg Blocks & Patterns Collection plugin for WordPress is vulnerable to Missing Authorization in versions prior to 2.0.30. The vulnerability exists because certain internal functions—likely those handling plugin settings or block configurations—are registered as AJAX or REST API endpoints without sufficient capability checks (e.g., current_user_can( 'manage_options' )).
This allows an unauthenticated attacker to modify plugin settings, enable/disable blocks, or perform other administrative actions by sending crafted requests to the vulnerable endpoints.
2. Attack Vector Analysis
- Endpoint: Likely a REST API route registered under the
bblocks/v1namespace or an AJAX action registered viawp_ajax_nopriv_. - Vulnerable Route/Action: Based on the
admin-dashboard.jsasset, the likely target is the settings update endpoint:POST /wp-json/bblocks/v1/settings(inferred) orwp_ajax_bblocks_save_settings(inferred). - Authentication: None required (unauthenticated).
- Parameter: The payload is likely a JSON object or POST array containing block status or general settings (e.g.,
active_blocks,settings_data). - Preconditions: The plugin must be active. No specific block needs to be placed on the frontend for the settings endpoint to be reachable.
3. Code Flow
- Registration: The plugin registers a REST API route in a file like
includes/class-admin.phporincludes/rest-api.phpusingregister_rest_route(). - Missing Callback: The
permission_callbackargument inregister_rest_route()is either missing, set to__return_true, or fails to check for administrative capabilities. - Processing: When a request is made to the endpoint, the handler function (e.g.,
save_settingsorupdate_options) is executed. - Sink: The handler calls
update_option()with user-supplied data from the request, allowing an attacker to overwrite plugin configurations.
4. Nonce Acquisition Strategy
If the endpoint is a REST API route and the vulnerability is a total lack of authorization for unauthenticated users, a nonce is typically not required for the request to succeed. WordPress only requires the X-WP-Nonce header for REST requests that use Cookie authentication to prevent CSRF against logged-in users.
However, if the plugin's code explicitly checks a custom nonce, follow these steps to retrieve it using the browser_eval tool:
- Identify the Dashboard Page: The
admin-dashboard.jsscript is typically loaded on the plugin's admin page. - Create a Trigger: Since we are unauthenticated, we need to check if the plugin leaks the nonce on the frontend. Check
wp_localize_scriptcalls in the PHP source. - Standard Procedure:
- Navigate to the WordPress homepage or a page containing a bBlock.
- Search the HTML source for localized scripts. Look for variables like
bBlocksAdminParamsorbBlocksData. - JavaScript Variable:
window.bBlocksAdminParams?.nonce(inferred).
- Alternative: If the nonce is only in the admin area, but the endpoint is
noprivor an open REST route, try the exploit without a nonce first.
5. Exploitation Strategy
The goal is to modify the plugin's settings (e.g., disabling all Gutenberg blocks provided by the plugin).
Step 1: Discover the Endpoint
The agent should first confirm the REST namespace and route by searching the plugin files:
grep -r "register_rest_route" .
Look for a route with the bblocks namespace and a POST method.
Step 2: Craft the Exploit Request
Assuming the endpoint is /wp-json/bblocks/v1/settings:
- URL:
http://<target>/wp-json/bblocks/v1/settings - Method:
POST - Headers:
Content-Type: application/json
- Payload (JSON):
(Note: The exact structure of the JSON depends on the discovered handler's logic. If it uses{ "settings": { "active_blocks": [] } }update_option('bblocks_settings', ...)directly, the payload might mirror the option's structure.)
Step 3: Execute via http_request
# Example for the PoC agent
response = http_request(
url="http://localhost:8080/wp-json/bblocks/v1/settings",
method="POST",
headers={"Content-Type": "application/json"},
body='{"settings": {"active_blocks": []}}'
)
6. Test Data Setup
- Install bBlocks: Ensure version
< 2.0.30is installed. - Verify Initial State: Use WP-CLI to check the current settings:
wp option get bblocks_settings - Place a Block: (Optional) Create a post with a bBlock (e.g., "Advanced Image") to see it break after the exploit:
wp post create --post_type=post --post_status=publish --post_content='<!-- wp:bblocks/advanced-image -->...<!-- /wp:bblocks/advanced-image -->'
7. Expected Results
- HTTP Response: A
200 OKor201 Createdresponse, likely returning the updated settings object. - Side Effect: The WordPress option
bblocks_settings(or similar) will be updated in the database. - Frontend Impact: The blocks managed by bBlocks may disappear or fail to render on the site because they have been "deactivated" via the settings.
8. Verification Steps
- Database Check: Verify the option was changed:
Thewp option get bblocks_settingsactive_blockslist should now be empty or match your payload. - Plugin Dashboard: Log in as admin and navigate to the bBlocks dashboard (
/wp-admin/admin.php?page=b-blocks-dashboard). All blocks should appear as "disabled."
9. Alternative Approaches
If the REST API is not vulnerable or requires a nonce that cannot be leaked:
- AJAX Search: Search for
wp_ajax_nopriv_bblocks_actions in the code:grep -r "wp_ajax_nopriv" . - Setting Manipulation: If the plugin uses
admin_initto save settings without ais_admin()or capability check, try sending the POST request directly to the admin dashboard URL:# Check for admin_init handlers that process $_POST grep -r "admin_init" . - Block-Specific Settings: Some plugins allow per-block settings to be updated via a similar missing-auth endpoint. If global settings are protected, look for routes like
/wp-json/bblocks/v1/block-config.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.