The Kadence Blocks plugin, which is used on more than 300,000 WordPress sites, has patched a critical vulnerability in its Advanced Form Block file upload capability. Version 3.1.11, released on August 8, 2023, patches the security issue with the form uploads.

The plugin’s development team is getting out ahead of the situation by posting an advisory on their blog, with a short description of the vulnerability and its potential for exploit.

The Kadence Advanced Form Block, introduced in Kadence Blocks 3.1, offers site owners the ability to add a file upload capability to their site. The code within the Advanced Form Block had insufficient tests to limit what types of files can be uploaded. This could allow attackers to upload a file claiming to be a valid image type that actually contained malicious PHP code. That PHP code could be malicious, and in so doing, take over a vulnerable WordPress website. Exploiting this vulnerability would require a settings at the server level that would be considered insecure. Most premium hosting providers secure upload folders from PHP execution at the server level, though many budget hosting providers do not.

Kadence Blocks developer Ben Ritner said sites that are not using the Advanced Form Block file upload capability are not subject to this vulnerability. At this time the vulnerability is not known to have been exploited.

Kadence Blocks users are encouraged to update immediately and check for unexpected users, admin accounts, and content changes. The advisory also includes ways to make file uploads more secure, including limiting file type, adding authentication, and scanning for viruses.