Description

WordPress Plugin Spectra-WordPress Gutenberg Blocks is prone to multiple security bypass vulnerabilities. Exploiting these issues may allow attackers to perform otherwise restricted actions and subsequently change some settings, or inject content into pages and posts. WordPress Plugin Spectra-WordPress Gutenberg Blocks version 2.3.0 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 2.3.2 or latest

References

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-broken-access-control-csrf-on-import-wpforms-vulnerability

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-contributor-recaptcha-settings-change-vulnerability

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-captcha-bypass-vulnerability

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-unauthenticated-email-html-injection-vulnerability

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-unauthenticated-email-spoofing-vulnerability

https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-broken-access-control-csrf-on-activate-plugin-vulnerability

https://plugins.svn.wordpress.org/ultimate-addons-for-gutenberg/trunk/readme.txt

Related Vulnerabilities

Apache Tomcat Improper Privilege Management Vulnerability (CVE-2020-1938)

Oracle Application Server CVE-2008-7237 Vulnerability (CVE-2008-7237)

WordPress Plugin CP Reservation Calendar SQL Injection (1.1.6)

WordPress Plugin AMP for WP-Accelerated Mobile Pages Security Bypass (0.9.97.19)

WordPress Plugin DSGVO All in one for WP Cross-Site Scripting (3.9)

Severity

High

Classification

CVE-2023-23729 CVE-2023-23730 CVE-2023-23735 CVE-2023-23738 CVE-2023-23825 CVE-2023-23834 CWE-284 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass