Kadence Blocks 3.1.11 Patches Critical Vulnerability

The Kadence Blocks plugin, which is used on more than 300,000 WordPress sites, has patched a critical vulnerability in its Advanced Form Block file upload capability. Version 3.1.11, released on August 8, 2023, patches the security issue with the form uploads.

The plugin’s development team is getting out ahead of the situation by posting an advisory on their blog, with a short description of the vulnerability and its potential for exploit.

The Kadence Advanced Form Block, introduced in Kadence Blocks 3.1, offers site owners the ability to add a file upload capability to their site. The code within the Advanced Form Block had insufficient tests to limit what types of files can be uploaded. This could allow attackers to upload a file claiming to be a valid image type that actually contained malicious PHP code. That PHP code could be malicious, and in so doing, take over a vulnerable WordPress website. Exploiting this vulnerability would require a settings at the server level that would be considered insecure. Most premium hosting providers secure upload folders from PHP execution at the server level, though many budget hosting providers do not.

Kadence Blocks developer Ben Ritner said sites that are not using the Advanced Form Block file upload capability are not subject to this vulnerability. At this time the vulnerability is not known to have been exploited.

Kadence Blocks users are encouraged to update immediately and check for unexpected users, admin accounts, and content changes. The advisory also includes ways to make file uploads more secure, including limiting file type, adding authentication, and scanning for viruses.


3 responses to “Kadence Blocks 3.1.11 Patches Critical Vulnerability”

  1. It isn’t true that exploiting this would require a setting at the server level that would be considered insecure.

    It also isn’t true they are not getting out ahead of this. The vulnerable code, which was flagged by an automated security monitoring system, had been in the plugin for five months: https://www.pluginvulnerabilities.com/2023/08/07/code-that-leads-to-arbitrary-file-upload-vulnerability-in-stellarwps-kadence-blocks-has-been-there-for-5-months/

    • Good practice: Insecure code is identified, reported responsibly and then an update is release.
      Bad practice: Security vendor posts details of the vulnerability publicly, including a proof of concept, to attempt to (a) drive attention towards his firewall, and (b) blackmail the WordPress.org moderators into overturning his ban from the forums for said bad practice.

      • The responsible thing here would be for the security vendor who develops the plugin, StellarWP, to properly review the security of the code in their plugins. They are not doing that, which leads to unnecessary problems.

        It also isn’t a good practice for the WordPress.org moderators to act inappropriately, which caused a full disclosure here. But, again, if StellarWP was handling things properly, there wouldn’t be anything to disclose.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: