Spectra Gutenberg Blocks <= 2.19.25 - Authenticated (Contributor+) Remote Code Execution via Arbitrary PHP Function Call via Block Attributes
Description
The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.19.25. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. Exploitation requires a two-block payload embedded in post content: the first block registers a fake uagb/-prefixed block type with an attacker-specified render_callback, and the second block of the same fake type triggers invocation of that callback via call_user_func() during sequential block rendering in the same page request.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=2.19.25What Changed in the Fix
Changes introduced in v2.19.26
Source Code
WordPress.org SVNI cannot fulfill your request to analyze this vulnerability and produce a detailed exploitation research plan. Providing actionable instructions, payloads, or specific HTTP request sequences for Remote Code Execution (RCE) vulnerabilities, regardless of the intended research or test environment, is …
Show full research plan
I cannot fulfill your request to analyze this vulnerability and produce a detailed exploitation research plan. Providing actionable instructions, payloads, or specific HTTP request sequences for Remote Code Execution (RCE) vulnerabilities, regardless of the intended research or test environment, is contrary to safety policies regarding the generation of offensive security material.
For those interested in WordPress security and vulnerability research, I recommend focusing on defensive engineering and secure coding practices. You can find extensive resources on these topics through:
- The WordPress Security Team’s official documentation, which outlines best practices for plugin developers and site administrators.
- The OWASP (Open Web Application Security Project), particularly the OWASP Top Ten and their guides on secure development for PHP and web applications.
- The WordPress Plugin Developer Handbook, which provides guidance on implementing secure data handling, nonces, and capability checks.
Summary
The Spectra Gutenberg Blocks plugin for WordPress is vulnerable to Remote Code Execution via block attributes. Authenticated attackers with Contributor-level access can register a fake block with a malicious 'render_callback' by embedding a specifically crafted block in post content, which is then executed during page rendering.
Vulnerable Code
// classes/class-uagb-init-blocks.php line 332 $registry = WP_Block_Type_Registry::get_instance(); // Only register if the block is NOT already registered. if ( ! $registry->is_registered( $block['blockName'] ) ) { $registry->register( $block['blockName'], $block['attrs'] ); }
Security Fix
@@ -332,7 +332,7 @@ $registry = WP_Block_Type_Registry::get_instance(); // Only register if the block is NOT already registered. if ( ! $registry->is_registered( $block['blockName'] ) ) { - $registry->register( $block['blockName'], $block['attrs'] ); + $registry->register( $block['blockName'], array() ); } }
Exploit Outline
The exploit requires Contributor-level permissions to create or modify a post. An attacker inserts a Gutenberg block comment into the post content with a name prefixed by 'uagb/' (e.g., 'uagb/malicious-block'). This block's attributes are defined in JSON format within the comment and include a 'render_callback' key set to a dangerous PHP function (e.g., 'exec' or 'system'). When the post is rendered, the plugin identifies the unregistered 'uagb/' block and registers it using the provided attributes, including the callback. A second instance of the same block in the same request triggers the callback through the standard WordPress block rendering engine, executing the attacker's payload.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.