Description

WordPress Plugin Spectra-WordPress Gutenberg Blocks is prone to multiple security bypass vulnerabilities. Exploiting these issues may allow attackers to perform otherwise restricted actions and subsequently change some settings, or inject content into pages and posts. WordPress Plugin Spectra-WordPress Gutenberg Blocks version 2.3.0 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 2.3.2 or latest

References

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-broken-access-control-csrf-on-import-wpforms-vulnerability

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-contributor-recaptcha-settings-change-vulnerability

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-captcha-bypass-vulnerability

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-unauthenticated-email-html-injection-vulnerability

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-unauthenticated-email-spoofing-vulnerability

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-broken-access-control-csrf-on-activate-plugin-vulnerability

https://plugins.svn.wordpress.org/ultimate-addons-for-gutenberg/trunk/readme.txt

Related Vulnerabilities

Prototype CVE-2020-27511 Vulnerability (CVE-2020-27511)

WordPress Plugin Block wp-login Cross-Site Request Forgery (1.3.0)

Joomla! Core 3.x.x Security Bypass (3.0.0 - 3.9.19)

WordPress Plugin Shortlinks by Pretty Links-Best WordPress Link Tracking Cross-Site Scripting (1.6.0)

Jenkins Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2018-1000864)

Severity

High

Classification

CVE-2023-23729 CVE-2023-23730 CVE-2023-23735 CVE-2023-23738 CVE-2023-23825 CVE-2023-23834 CWE-284 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass