CVE-2023-6623: 
WordPress vulnerability analysis and mitigation

The Essential Blocks WordPress plugin (versions before 4.4.3) contains a critical Local File Inclusion vulnerability identified as CVE-2023-6623. The vulnerability was discovered on December 8, 2023, and publicly disclosed on December 21, 2023, after the patch was released in version 4.4.3 on December 18, 2023. The vulnerability affects all installations of the Essential Blocks plugin running versions prior to 4.4.3 (WPScan Blog).

The vulnerability stems from improper handling of local variables when rendering templates over the REST API. The plugin's template system uses the PHP extract() function without the EXTR_SKIP flag, allowing attackers to overwrite already defined variables, including those holding the path to the template to include. This vulnerability is classified as CWE-22 (Path Traversal) and has received a CVSS v3.1 score of 9.8 (Critical), indicating its severe nature (NVD, WPScan Blog).

When successfully exploited, this vulnerability allows unauthenticated attackers to include arbitrary files hosted on the server to be parsed and executed as PHP files. This could potentially lead to Remote Code Execution on certain server configurations, representing a critical security risk for affected websites (WPScan Blog).

The recommended mitigation is to update the Essential Blocks plugin to version 4.4.3 or later, which contains the security fix. The plugin authors promptly addressed the vulnerability by releasing a patched version after being notified of the issue (WPScan Blog).