Kadence Blocks plugin for WordPress patches critical Vulnerability
Take action: A fairly simple patch to implement, and a priority one if you are self hosting or running on a small Wordpress hosting service. Don't panic but don't delay the patch, although your hosting provider may already be mitigating the risk for you.
Learn More
The Kadence Blocks plugin, utilized on over 300,000 WordPress websites, has addressed a critical security vulnerability related to its Advanced Form Block's file upload feature.
Introduced within Kadence Blocks 3.1, the Kadence Advanced Form Block empowers site administrators to incorporate file upload functionality into their websites.
The security issue stems from insufficient testing within the Advanced Form Block's code, allowing for potential abuse in terms of file type restrictions. This vulnerability could enable malicious actors to upload files posing as legitimate image types but containing harmful PHP code. Subsequently, this code could exploit vulnerabilities in WordPress, ultimately compromising the security of the affected website.
Successful exploitation hinges on server-level settings that are considered insecure. While many premium hosting providers protect upload folders from PHP execution at the server level, budget hosting providers might lack this level of protection.
Websites not utilizing the Advanced Form Block file upload feature remain unaffected by this vulnerability. To date, there is no reported exploitation of this vulnerability.
The vulnerability was mitigated through the release of version 3.1.11 on August 8, 2023.
The fiuther enhance file upload security, developers should restrict file types, implementing authentication, and conducting virus scans.
