A critical privilege escalation vulnerability has been identified in the B Blocks plugin for WordPress. This flaw allows an unauthenticated attacker to create a new user with administrative privileges by exploiting missing security checks. Successful exploitation would result in a full compromise of the affected website, enabling the attacker to steal data, install malware, or deface the site.

The vulnerability exists within the rgfr_registration() function of the plugin. This function, intended for user registration, fails to perform adequate authorization checks to ensure the user making the request has the appropriate permissions. Furthermore, improper input validation allows an attacker to specify the user role during the registration process. An unauthenticated remote attacker can exploit this by sending a specially crafted request to the vulnerable function, creating a new user account with administrative-level privileges.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit grants an attacker complete administrative control over the WordPress site. The potential consequences include theft of sensitive company and customer data, website defacement causing significant reputational damage, injection of malware to attack site visitors, and using the compromised server for further malicious activities. The financial and operational impact of a full site compromise can be severe, leading to regulatory fines, cleanup costs, and loss of customer trust.

Immediate Action: Update the B Blocks plugin for WordPress to the latest patched version immediately. After patching, conduct a thorough audit of all user accounts, especially those with administrative privileges, to identify and remove any unauthorized accounts created by exploiting this vulnerability.

Proactive Monitoring: System administrators should actively monitor web server access logs for suspicious POST requests related to user registration or the rgfr_registration() function. Review WordPress audit logs for unexpected user creation events or privilege escalations. Deploying an intrusion detection system (IDS) can help identify post-exploitation activity.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to block malicious requests targeting the vulnerable registration function. Alternatively, consider temporarily disabling the B Blocks plugin until it can be safely updated. Restricting access to the WordPress login and registration pages by IP address can also reduce the attack surface.

Public Exploit Available: False

Given the critical CVSS score of 9.8, this vulnerability poses an extreme risk to the organization. The potential for a complete system compromise necessitates immediate action. We strongly recommend that all instances of the B Blocks WordPress plugin be updated to a patched version without delay. The absence of a public exploit or a CISA KEV listing should not be interpreted as a low risk; organizations must assume active exploitation is imminent and prioritize remediation accordingly.