CVE-2023-6623
CRITICAL EXPLOITED NUCLEIEssential Blocks <4.4.3 - Code Injection
Title source: llmExploitation Summary
CVE-2023-6623 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.
Nuclei Templates (1)
Essential Blocks < 4.4.3 - Local File Inclusion
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch,coldfish
Shodan:
http.html:/wp-content/plugins/essential-blocks/
FOFA:
body=/wp-content/plugins/essential-blocks/
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://wpscan.com/blog/file-inclusion-vulnerability-fixed-in-essential-blocks-4-4-3/
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/633c28e0-0c9e-4e68-9424-55c32789b41f
Scores
CVSS v3
9.8
EPSS
0.5067
EPSS Percentile
98.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2024-05-13
CWE
CWE-22
Status
published
Products (1)
wpdeveloper/essential_blocks
< 4.4.3
Published
Jan 15, 2024
Tracked Since
Feb 18, 2026