CVE-2023-6623

CRITICAL EXPLOITED NUCLEI

Essential Blocks <4.4.3 - Code Injection

Title source: llm

Description

The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.

Nuclei Templates (1)

Essential Blocks < 4.4.3 - Local File Inclusion

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch,coldfish

Shodan: http.html:/wp-content/plugins/essential-blocks/

FOFA: body=/wp-content/plugins/essential-blocks/

References (2)

[Exploit, Third Party Advisory] https://wpscan.com/blog/file-inclusion-vulnerability-fixed-in-essential-blocks-4-4-3/

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/633c28e0-0c9e-4e68-9424-55c32789b41f

Scores

CVSS v3 9.8

EPSS 0.8812

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-05-13

CWE

CWE-22

Status published

Products (1)

wpdeveloper/essential_blocks < 4.4.3

Published Jan 15, 2024

Tracked Since Feb 18, 2026