Executive Summary

The vulnerability exists in the Gutenberg Blocks with AI by Kadence WP plugin for WordPress, affecting all versions up to and including 3.6.1. It is caused by a missing authorization check in the function process_image_data_ajax_callback(), which handles an AJAX action for processing image data.

Specifically, the function only verifies if the user has the edit_posts capability but fails to check if the user has the upload_files capability. Because of this, authenticated users with Contributor-level access or higher can upload arbitrary images from remote URLs to the WordPress Media Library, bypassing the usual restrictions that prevent Contributors from uploading files.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated users with Contributor-level access or above to upload arbitrary images from remote URLs to the WordPress Media Library, even though Contributors normally do not have permission to upload files.

The impact is an unauthorized ability to add media content, which could be used to upload malicious images or content that might be leveraged for further attacks or to bypass security policies.

The CVSS score of 4.3 (Medium severity) reflects the limited but significant impact on integrity due to this improper authorization.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Gutenberg Blocks with AI by Kadence WP plugin allowing authenticated users with Contributor-level access and above to upload arbitrary images via the AJAX action `kadence_import_process_image_data` due to missing authorization checks.

To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the AJAX endpoint that handles the `kadence_import_process_image_data` action.

• Check your web server access logs for POST requests containing the parameter `action=kadence_import_process_image_data`.
• Use command-line tools like grep to filter logs, for example: `grep 'action=kadence_import_process_image_data' /var/log/apache2/access.log` or the equivalent path for your web server.
• Monitor WordPress AJAX requests for unusual image upload activity from users with Contributor-level roles.

Since the vulnerability allows uploading images from remote URLs, suspicious network traffic involving outbound connections to unknown image URLs initiated by the WordPress server could also be an indicator.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately update the Gutenberg Blocks with AI by Kadence WP plugin to a version later than 3.6.1 where the missing authorization check has been fixed.

If an update is not immediately available, restrict access to the vulnerable AJAX action by limiting Contributor-level users' ability to trigger the `kadence_import_process_image_data` action.

• Temporarily disable or remove the plugin until a patched version is released.
• Implement additional capability checks in the plugin code to ensure the `upload_files` capability is verified before processing image uploads.
• Monitor logs for suspicious activity and revoke or review permissions for users with Contributor-level access.

Useful 0 Not Useful 0