CVE-2023-6964 in Gutenberg Blocks Plugin
Summary
by MITRE • 04/09/2024
The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.26 via the 'kadence_import_get_new_connection_data' AJAX action. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/14/2026
The vulnerability identified as CVE-2023-6964 affects the Gutenberg Blocks by Kadence Blocks plugin for WordPress, specifically impacting versions up to and including 3.1.26. This represents a critical security flaw that exposes the plugin to server-side request forgery attacks, allowing authenticated attackers with contributor-level privileges or higher to exploit the system's trust mechanisms. The vulnerability manifests through the 'kadence_import_get_new_connection_data' AJAX action, which serves as an entry point for malicious activity within the WordPress environment.
The technical flaw stems from inadequate input validation and sanitization within the plugin's AJAX handling mechanism. When the 'kadence_import_get_new_connection_data' endpoint processes requests, it fails to properly validate or restrict the URLs or endpoints that can be accessed through the web application's server. This allows attackers to manipulate the request parameters to redirect the plugin's outbound requests to internal network services or external malicious endpoints. The vulnerability operates under CWE-918, which classifies server-side request forgery as a critical weakness in web applications where the application fetches resources from external sources without proper validation of the target URLs.
The operational impact of this vulnerability extends beyond simple data exfiltration, as it enables attackers to interact with internal services that may otherwise be protected by network segmentation or firewall rules. An authenticated user with contributor privileges can leverage this flaw to perform reconnaissance activities against internal systems, potentially accessing sensitive information from services running on the same network as the WordPress installation. This includes but is not limited to database servers, internal APIs, or other web applications that might be accessible from the web server's network context, creating a significant risk for organizations with complex network architectures.
The security implications of CVE-2023-6964 align with several ATT&CK framework techniques including T1071.004 for application layer protocol usage and T1566 for credential access through social engineering. The vulnerability allows attackers to bypass traditional network security controls by leveraging the legitimate web application's trust relationship with internal services. This enables lateral movement within the network and potentially provides attackers with access to sensitive data or systems that would normally be protected by network perimeter defenses. Organizations should consider this vulnerability as part of a broader attack chain that could lead to complete system compromise.
Mitigation strategies for this vulnerability require immediate action including updating the Kadence Blocks plugin to version 3.1.27 or later, which contains the necessary patches to address the server-side request forgery issue. Additionally, administrators should implement network segmentation to limit the ability of web applications to communicate with internal services, and consider implementing web application firewalls that can detect and block suspicious outbound requests. The principle of least privilege should be enforced by ensuring that WordPress users have only the minimum necessary permissions to perform their duties, as this vulnerability requires contributor-level access or higher to exploit effectively. Regular security audits and monitoring of outbound network requests from web applications should also be implemented to detect potential exploitation attempts.