CVE-2024-3564
📋 TL;DR
The Content Blocks (Custom Post Widget) WordPress plugin has a Local File Inclusion vulnerability that allows authenticated attackers with contributor-level access or higher to include and execute arbitrary files on the server. This can lead to PHP code execution, access control bypass, and data exfiltration. All WordPress sites using this plugin version 3.3.0 or earlier are affected.
💻 Affected Systems
- WordPress Content Blocks (Custom Post Widget) plugin
📦 What is this software?
Content Blocks by Vanderwijk
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via arbitrary PHP code execution leading to complete site takeover, data theft, and lateral movement to other systems.
Likely Case
Unauthorized file access leading to sensitive data exposure, privilege escalation, and backdoor installation for persistent access.
If Mitigated
Limited impact if proper file permissions and input validation are in place, but still potential for information disclosure.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is in the 'content_block' shortcode parameter handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3078739%40custom-post-widget&new=3078739%40custom-post-widget
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Content Blocks (Custom Post Widget)'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.3.1+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the 'content_block' shortcode functionality
Add to theme functions.php: remove_shortcode('content_block');
Restrict user roles
allTemporarily restrict contributor-level access until patch is applied
Use WordPress role management plugins or custom code to limit contributor permissions
🧯 If You Can't Patch
- Disable or remove the Content Blocks plugin entirely
- Implement strict file system permissions and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Content Blocks (Custom Post Widget)' version 3.3.0 or lowerCheck Version:
wp plugin list --name='content-blocks' --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm plugin version is 3.3.1 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion attempts in web server logs
- Multiple requests to content_block shortcode with file path parameters
- PHP error logs showing file inclusion errors
Network Indicators:
- HTTP requests containing 'content_block' parameter with file paths
- Unusual POST requests to WordPress admin-ajax.php or similar endpoints
SIEM Query:
source="web_logs" AND (uri="*content_block*" OR uri="*admin-ajax.php*") AND (query="*file=*" OR query="*path=*")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3078739%40custom-post-widget&new=3078739%40custom-post-widget&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c5a0b8fe-d284-4780-84b5-2e97fa96c99a?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3078739%40custom-post-widget&new=3078739%40custom-post-widget&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c5a0b8fe-d284-4780-84b5-2e97fa96c99a?source=cve
