This is a bit of an older one, but it’s still important to highlight. The popular Kadence Blocks plugin had a missing authorisation vulnerability in versions up to 3.6.3. This allowed authenticated users with the Contributor role to upload arbitrary files to the Media Library.
What’s the vulnerability?
The plugin’s REST API endpoint /kadence-blocks/v1/process_pattern processes image URLs from block content and downloads them to the Media Library. The endpoint checks whether the user can edit posts, but it doesn’t check if they can upload files.
In WordPress, these are separate capabilities:
- Contributor can edit their own posts but can’t upload media
- Author can edit their own posts and upload media
By sending a crafted request to the endpoint with a URL pointing to any file, a Contributor can bypass the upload restriction and add arbitrary files to the Media Library. The plugin downloads the file and creates an attachment post without verifying the upload_files capability.
This is more important than it seems – it’s not just a case of being able to upload images. In a simple case, the attacker can upload tons of files in an effort to consume your hosting storage (and cost you money). But in the worst case, they can use your website as a file store to host illegal images or malware.
For sites that grant Contributor access to freelancers, guest authors, or community members, this is a real privilege escalation.
The fix
The patched version checks for the upload_files capability before processing images. Simple, but essential…
if ( ! current_user_can( 'upload_files' ) ) {
return new WP_Error(
'rest_forbidden',
__( 'You do not have permission to upload files.' )
);
}What to do
The fix is easy – standard WordPress good hygiene. Keep updating your plugins regularly. In this case, update to Kadence Blocks 3.6.4 or later immediately. The patch adds a proper capability check to the endpoint.
After updating, audit your Media Library and remove any files uploaded by Contributor accounts that you don’t recognise.