Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks
On August 18, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two PHP Object Injection vulnerabilities in the Essential Blocks plugin for WordPress, a plugin with over 100,000 installations.
We received a response three days later and sent over our full disclosure on August 23, 2023. A patched version of the free plugin, 4.2.1, was released on August 29, 2023 with version 1.1.1 for the Pro version released the same day.
We issued a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on August 18, 2023. Sites still running the free version of Wordfence received the same protection on September 17, 2023. We recommend that all Wordfence users update to the patched version, 4.2.1 (1.1.1 for Pro), as soon as possible as this will entirely eliminate the vulnerabilities.
Vulnerability Summary from Wordfence Intelligence
Description: Insecure Deserialization/PHP Object Injection via queries
Affected Plugin: Essential Blocks, Essential Blocks Pro
Plugin slug: essential-blocks, essential-blocks-pro
Vendor: WPDeveloper
Affected versions:
Source: wordfence.com