Block Logic WordPress Plugin Remote Code Execution Vulnerability
Vulnerability
A remote code execution vulnerability exists in the Block Logic – Full Gutenberg Block Display Control plugin for WordPress, affecting all versions through 1.0.8. The issue arises in the block_logic_check_logic function, where user input is evaluated unsafely. This vulnerability allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where the affected WordPress site is hosted.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can manipulate the 'blockLogic' attribute of a block using the Block Logic plugin. The block_logic_check_logic function will then evaluate the input as PHP code, potentially leading to code execution on the server.
Remediation
No known patch is available. It is recommended to uninstall the affected plugin and consider a replacement.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.