On April 6, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities in Getwid – Gutenberg Blocks, a plugin installed on over 50,000 WordPress sites. The plugin’s developers responded immediately, and we sent over the full disclosure the same day. A patched version of the plugin, 1.8.4, was released on April 13, 2023.
The most serious vulnerability had a high severity because it allows authenticated users to perform Server Side Request Forgery (SSRF), which can result in full access to the hosted instance on some cloud configurations. Additionally, it may allow further penetration into internal networks in some enterprise configurations. The other vulnerability is much lower in severity and allows authenticated users to clear and update the site’s template cache.
All Wordfence customers received a firewall rule protecting against the Server Side Request Forgery (SSRF) by May 6, 2023.