Kadence Blocks Page Builder Toolkit for Gutenberg Editor Authorization Bypass Vulnerability Allowing Unauthorized Media Upload

A vulnerability exists in the Kadence Blocks Page Builder Toolkit for Gutenberg Editor plugin for WordPress, in all versions through 3.6.3. The issue stems from the plugin's REST API endpoint 'process_pattern', which fails to properly verify if a user has the 'upload_files' capability. This oversight enables authenticated attackers with contributor-level access or higher to upload images to the WordPress Media Library. The images are uploaded by providing remote image URLs, which the server retrieves and saves as media attachments.

Impact

Exploitation of this vulnerability allows for unauthorized image uploads to the WordPress Media Library, potentially leading to misuse of the uploaded images or manipulation of content using the uploaded media.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor-level access can send a request to the 'process_pattern' REST API endpoint. The request must include remote image URLs. The server will download these images and upload them to the WordPress Media Library as attachments.

Remediation

Users are advised to update the Kadence Blocks Page Builder Toolkit for Gutenberg Editor plugin to version 3.6.4 or later.