CVE-2024-11219

Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 3.0.6 - Unauthetnicated Path Traversal to Arbitrary Image View

CVSS 5.3 MEDIUMEPSS 0.5%CWE-22

In short

An attacker can view any image file on a WordPress server without logging in by exploiting a flaw in the Otter Blocks plugin. This could expose sensitive images stored on the server.

Technical detail

The plugin's get_image function is vulnerable to path traversal (CWE-22), allowing unauthenticated attackers to bypass directory restrictions and access arbitrary image files. The vulnerability requires only HTTP requests and can disclose sensitive image data without authentication.

Summary generated and translated by AI from the official description.

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.0.6 via the get_image function. This makes it possible for unauthenticated attackers to view arbitrary images on the server, which can contain sensitive information.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

themeisle · Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/browser/otter-blocks/tags/3.0.6/inc/plugins/class-dynamic-content.php#L222 https://www.wordfence.com/threat-intel/vulnerabilities/id/c5e9ab63-d61e-40f1-a5cb-432f33dfd2a6?source=cve