CVE-2023-6964
📋 TL;DR
This vulnerability in the Kadence Blocks WordPress plugin allows authenticated attackers with contributor-level access or higher to perform Server-Side Request Forgery (SSRF) attacks. Attackers can make arbitrary web requests from the vulnerable server, potentially accessing internal services and sensitive information. All WordPress sites using vulnerable versions of Kadence Blocks are affected.
💻 Affected Systems
- Gutenberg Blocks by Kadence Blocks – Page Builder Features WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data from internal networks, perform port scanning, or interact with cloud metadata services to escalate privileges.
Likely Case
Attackers with contributor access could probe internal networks, access internal APIs, or interact with services that should be restricted to internal use only.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to information disclosure from services accessible to the web server.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Contributor-level access is relatively easy to obtain in many WordPress installations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.27 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3019592%40kadence-blocks&old=2996625%40kadence-blocks
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Kadence Blocks' and click 'Update Now'. 4. Verify version is 3.1.27 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove the vulnerable 'kadence_import_get_new_connection_data' AJAX action handler
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_kadence_import_get_new_connection_data', 'kadence_import_get_new_connection_data');
Restrict user roles
allLimit contributor-level access to trusted users only
🧯 If You Can't Patch
- Implement network segmentation to restrict web server access to internal services
- Deploy web application firewall rules to block SSRF patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Kadence Blocks version. If version is 3.1.26 or lower, you are vulnerable.Check Version:
wp plugin list --name=kadence-blocks --field=versionVerify Fix Applied:
After updating, verify Kadence Blocks version shows 3.1.27 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=kadence_import_get_new_connection_data
- Outbound web requests from web server to internal IP ranges or unusual domains
Network Indicators:
- Web server making requests to internal services (192.168.*, 10.*, 172.16-31.*)
- Requests to cloud metadata endpoints (169.254.169.254)
SIEM Query:
source="web_server_logs" AND (url_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "action=kadence_import_get_new_connection_data")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3019592%40kadence-blocks&old=2996625%40kadence-blocks&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b01ad77f-2349-48bb-b4e9-f7cbce435de9?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3019592%40kadence-blocks&old=2996625%40kadence-blocks&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b01ad77f-2349-48bb-b4e9-f7cbce435de9?source=cve
