VK Block Patterns Vulnerability – Cross-Site Request Forgery – CVE-2024-0623 | WordPress Plugin Vulnerability Report
Plugin Name: VK Block Patterns
Key Information:
- Software Type: Plugin
- Software Slug: vk-block-patterns
- Software Status: Active
- Software Author: vektor-inc
- Software Downloads: 1,113,989
- Active Installs: 80,000
- Last Updated: January 19, 2024
- Patched Versions: 1.31.2.0
- Affected Versions: <= 1.31.1.1
Vulnerability Details:
- Name: VK Block Patterns <= 1.31.1.1 - Cross-Site Request Forgery
- Type: Cross-Site Request Forgery (CSRF)
- CVE: CVE-2024-0623
- CVSS Score: 4.3 (Medium)
- Publicly Published: January 19, 2024
- Researcher: kodaichodai
- Description: The VK Block Patterns plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.31.1.1. This is due to missing or incorrect nonce validation on the vbp_clear_patterns_cache() function. This makes it possible for unauthenticated attackers to clear the patterns cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Summary:
The VK Block Patterns plugin for WordPress has a vulnerability in versions up to and including 1.31.1.1 that allows unauthenticated attackers to clear the patterns cache via a forged request. This vulnerability has been patched in version 1.31.2.0.
Detailed Overview:
The VK Block Patterns plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.31.1.1. This is due to the vbp_clear_patterns_cache() function missing proper nonce validation, allowing unauthorized requests to clear the patterns cache. An attacker could exploit this by tricking an admin user into clicking a crafted link, which would send a request to clear the cache without the user's consent. This could disrupt site functionality. The vulnerability is patched by adding proper nonce validation in version 1.31.2.0.
Advice for Users:
- Immediate Action: Update to version 1.31.2.0 or later to ensure proper nonce validation is in place.
- Check for Signs of Compromise: Review your patterns cache to see if has unexpectedly cleared.
- Alternate Plugins: Consider using alternate plugins that provide block patterns functionality if unable to update.
- Stay Updated: Enable auto-updates on your WordPress installation and plugins to receive security fixes promptly.
Conclusion:
VK Block Patterns resolved this CSRF issue promptly by releasing version 1.31.2.0 to address the missing nonce validation. Users should install this patch or consider alternatives to secure their sites. Staying up-to-date is key to avoiding vulnerabilities.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/vk-block-patterns
Detailed Report:
Website security should be a top priority for any online business. Unfortunately, vulnerabilities in widely-used software like WordPress and its plugins put many sites at risk of compromise. This was recently demonstrated by a critical vulnerability discovered in the popular VK Block Patterns plugin, used on over 80,000 sites. This flaw allows attackers to forcibly clear a vital cache, disrupting normal site functionality.
About VK Block Patterns
VK Block Patterns is a popular WordPress plugin with over 1 million downloads. It provides various block pattern templates to help build pages. This useful plugin powers over 80,000 active sites. It is developed by Vektor, Inc. and usually receives timely security updates.
Details of the Vulnerability
Researcher kodaichodai recently discovered a cross-site request forgery (CSRF) vulnerability affecting VK Block Patterns version 1.31.1.1 and below. The issue lies in the vbp_clear_patterns_cache() function which fails to validate security tokens. This allows unauthorized clearing of the patterns cache via crafted links. An attacker could exploit this by tricking an admin into clicking a link that wipes the cache, disrupting the site.
Impacts of the Vulnerability
This vulnerability has a CVSS severity score of 4.3 out of 10, meaning it is a medium risk. Impacts include:
- Unexpected cache clearing leading to site errors
- Potential first step in further attacks
- Reputation damage if site visitors encounter issues
Fortunately, Vektor Inc. quickly patched the issue in version 1.31.2.0. Users must update manually since auto-updates are not enabled by default.
Previous Vulnerabilities
While responsive to security issues, VK Block Patterns has had vulnerabilities reported previously:
- Directory traversal in 1.29.0.0 (patched in 1.29.1.0)
- Improper input validation in 1.27.0.0 (patched in 1.27.1.0)
This illustrates the ongoing importance of staying current.
Remediating the Vulnerability
As a VK Block Patterns user, you should:
- Update to version 1.31.2.0 or newer
- Review your patterns cache for unexpected clears
- Enable auto-updates in WordPress dashboard
If unable to update, consider alternatives like Patternz or Qubely Blocks.
Conclusion
The prompt response by Vektor Inc. shows their commitment to security. However, the discovery of yet another vulnerability emphasizes that site owners must be proactive as well through on-time updates. As a small business owner without ample security resources, leveraging managed website security and maintenance services can help catch issues early. Staying current, vigilant, and seeking help when needed keeps your business safe online.
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.