Getwid – Gutenberg Blocks – Missing Authorization & Captcha Bypass – CVE-2023-6959 & CVE-2023-6963 | WordPress Plugin Vulnerability Report
Plugin Name: Getwid – Gutenberg Blocks
Key Information:
- Software Type: Plugin
- Software Slug: getwid
- Software Status: Active
- Software Author: jetmonsters
- Software Downloads: 1,066,235
- Active Installs: 50,000
- Last Updated: January 25, 2024
- Patched Versions: 2.0.5
- Affected Versions: <= 2.0.4
Vulnerability Details - Section 1:
- Name: Getwid – Gutenberg Blocks <= 2.0.4
- Title: Missing Authorization to Recaptcha API Key Modification
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CVE: CVE-2023-6959
- CVSS Score: 4.3
- Publicly Published: January 17, 2024
- Researcher: Lucio Sá
- Description: Vulnerability in all versions up to 2.0.4 allows authenticated attackers with subscriber-level access to modify the 'Recaptcha Site Key' and 'Recaptcha Secret Key' settings without proper authorization.
Vulnerability Details - Section 2:
- Name: Getwid – Gutenberg Blocks <= 2.0.4
- Title: Captcha Bypass
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- CVE: CVE-2023-6963
- CVSS Score: 5.3
- Publicly Published: January 17, 2024
- Researcher: Lucio Sá
- Description: A CAPTCHA Bypass vulnerability in versions up to and including 2.0.4 allows unauthenticated attackers to bypass the Captcha Verification of the Contact Form block.
Summary
The Getwid – Gutenberg Blocks plugin for WordPress, a popular tool for enhancing the Gutenberg editor, has encountered significant security vulnerabilities in versions up to and including 2.0.4. These vulnerabilities, identified as CVE-2023-6959 and CVE-2023-6963, involve missing authorization for modifying Recaptcha API keys and a CAPTCHA bypass in the contact form block. Both issues have been resolved in the patched version 2.0.5.
Detailed Overview
Lucio Sá, a security researcher, discovered two critical vulnerabilities in the Getwid – Gutenberg Blocks plugin. The first, CVE-2023-6959, exposes the plugin to unauthorized changes in the 'Recaptcha Site Key' and 'Recaptcha Secret Key' due to a missing capability check. The second, CVE-2023-6963, involves a CAPTCHA Bypass that undermines the security of the plugin's contact form block. These vulnerabilities could potentially compromise website security, making it easier for attackers to conduct malicious activities.
Advice for Users
- Immediate Action: Users should update to version 2.0.5 without delay.
- Check for Signs of Vulnerability: Monitor your website for unexpected changes in settings or unauthorized form submissions.
- Alternate Plugins: Consider temporarily using alternative Gutenberg blocks or CAPTCHA solutions.
- Stay Updated: Always keep your plugins updated to the latest versions to prevent security vulnerabilities.
Conclusion
The rapid response from Getwid’s developers in patching these vulnerabilities highlights the critical nature of regular plugin updates. Website owners, particularly small businesses with limited resources, are advised to ensure their installations are running version 2.0.5 or later. Staying vigilant and promptly addressing such vulnerabilities is key to safeguarding WordPress sites against potential cyber threats.
References
- Wordfence Vulnerability Report on Getwid - CVE-2023-6959
- Wordfence Vulnerability Report on Getwid - CVE-2023-6963
Introduction
In today's digital landscape, where websites play a pivotal role in business and personal branding, the importance of cybersecurity is paramount. The recent discovery of vulnerabilities in the Getwid – Gutenberg Blocks plugin, designated as CVE-2023-6959 and CVE-2023-6963, serves as a vital reminder of the need for constant vigilance and timely updates in website maintenance. These vulnerabilities highlight the potential risks associated with widely used WordPress plugins and the necessity of safeguarding digital assets against emerging threats.
Plugin Overview
Getwid – Gutenberg Blocks, developed by jetmonsters, is a popular WordPress plugin that enhances the Gutenberg editor with additional templates, widgets, and building tools. With over a million downloads and 50,000 active installations, it has become a fundamental tool for many WordPress users.
Risks and Potential Impacts
These vulnerabilities pose significant risks to website integrity and user security. The ability for lower-level users to modify key settings or bypass security measures can lead to unauthorized access, data breaches, and potentially, misuse of website functionalities. For small businesses, such breaches could have severe repercussions, including loss of customer trust and reputational damage.
Previous Vulnerabilities
The Getwid – Gutenberg Blocks plugin has encountered 2 previous vulnerabilities since June 6, 2023, highlighting the ongoing security challenges in the WordPress ecosystem.
Conclusion
The swift response from Getwid’s developers in addressing these vulnerabilities underscores the critical importance of regular plugin updates for website security. For small business owners, staying informed and proactive in updating and securing WordPress sites is essential, particularly when resources for constant monitoring are limited. Implementing automated update systems or engaging managed hosting services can be effective strategies to ensure security while minimizing the time and effort required. Ultimately, vigilance and prompt action are key to protecting your online presence against evolving cyber threats.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.