Vulnerability Description
The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/WordPressBugBounty/plugins-gutenkit-blocks-addon/blob/dc3738b
- https://plugins.trac.wordpress.org/browser/gutenkit-blocks-addon/tags/2.1.0/incl
- https://plugins.trac.wordpress.org/browser/gutenkit-blocks-addon/tags/2.1.1/incl
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e44c5dc0-6bf6-417a-938
FAQ
What is CVE-2024-9234?
CVE-2024-9234 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and...
How severe is CVE-2024-9234?
CVE-2024-9234 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-9234?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.