Kadence Blocks 3.1.11 Includes Patch for Critical Vulnerability

Just before midnight Mountain Daylight Time on August 8, 2023, the Kadence team pushed out a fix for a vulnerability in Kadence Blocks. This new version, Kadence Blocks 3.1.11, fixes a critical vulnerability in the Advanced Form Block file upload capability. Sites not using the Advanced Form Block file upload capability are not vulnerable to attacks that may target this vulnerability.

What was the vulnerability?

The Kadence Advanced Form Block, introduced in Kadence Blocks 3.1, offers site owners the ability to add a file upload capability to their site. The code within the Advanced Form Block had insufficient tests to limit what types of files can be uploaded. This could allow attackers to upload a file claiming to be a valid image type that actually contained malicious PHP code. That PHP code could be malicious, and in so doing, take over a vulnerable WordPress website. Exploiting this vulnerability would require a settings at the server level that would be considered insecure. Most premium hosting providers secure upload folders from PHP execution at the server level, though many budget hosting providers do not.

What does this mean for your website?

As of the publication of this alert, there are no known instances of this vulnerability being exploited by malicious actors. As such, there is no reason to worry about your site.

However, you should check your website for any anomalies. This includes but is not limited to:

• Check to see if there are any unexpected users or admin accounts on your website.
• Look at your site’s content to determine if any unexplained changes have been made.
• Use Sucuri’s free site check to look for any indicators of compromise.
• Use iThemes Security to monitor for any unexpected file changes.
• Monitor Google Search Console for any indicators of unwanted site changes or malicious content.
• If you’re still concerned and wish to check your site further, consult an expert. But, as stated previously, there is no reason to suspect this vulnerability has been exploited at the time of publication.

How to update your site

If you have updated to Kadence Blocks 3.1.* since its release last week, please update to Kadence Blocks 3.1.11 as soon as possible. Log into your website admin area and navigate to “Updates.” Look for Kadence Blocks and choose to update the plugin.

If you are still using Kadence Blocks 3.0.* and have not yet updated to 3.1, please ensure you update to the latest version of Kadence Blocks 3.1.11 or greater when you do choose to update.

If you have any questions about this vulnerability, please feel free to reach out to support for assistance. The security of your website and data is of highest priority.

Be thoughtful when offering file uploads

Now is likely a good time to remind everyone of the security implications when adding file upload functionality to your forms. Any file upload capability should only be offered in specific and controlled instances. We also recommend:

Consider adding authentication. When offering file uploads, it often makes sense to ensure that you only offer this functionality to end users that are authenticated, meaning that they are logged into your site. In this way, you limit the attack surface for your form’s file upload capability. If, for example, you’re offering for your users to apply to a job and upload a resume, require that they create an account prior to application.

Limit file types. Kadence Blocks Advanced Form Block offers the capability to limit the file type for file uploads. Choose less, not more. Let the user know in text on the form which file types are allowed, and then restrict capability in Kadence Blocks settings to only allow that file type.

Scan for file viruses. When downloading and opening files that have been uploaded to your site, scan files prior to opening in applications like Microsoft Word, etc. As a general practice, it’s always good to scan anything you receive, whether as an email attachment or as a file upload.

Employ CDR. Files such as Microsoft Office, PDF and image files can have embedded threats in hidden scripts and macros that are not always detected by anti-malware engines. To remove risk and make sure that files contain no hidden threats, it is best practice to remove any possible embedded objects by using a methodology called content disarm and reconstruction (CDR).

Kadence takes security seriously

Immediately upon learning of this vulnerability, our team pushed out a fix. We take the security of our customers’ sites seriously, and we make security fixes a priority. We are thankful to the responsible security researchers that responsibly disclose security vulnerabilities for the common good of all WordPress and Kadence users.