CVE-2024-9234

Name of the Vulnerable Software and Affected Versions The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress versions up to, and including, 2.1.0

Description The issue is related to a missing capability check on the install and activate plugin from external() function, which is part of the install-active-plugin REST API endpoint. This allows unauthenticated attackers to install and activate arbitrary plugins or upload arbitrary files disguised as plugins.

Recommendations For versions up to, and including, 2.1.0, update to a version higher than 2.1.0 to resolve the issue. As a temporary workaround, consider disabling the install and activate plugin from external() function until a patch is available. Restrict access to the install-active-plugin REST API endpoint to minimize the risk of exploitation.