Login

Tag Archives: Kadence Blocks

Plugin Security Scorecard Grade for Kadence Blocks

Checked on January 23, 2025
F

See issues causing the plugin to get less than A+ grade

31 Jan 2025

Patchstack Admits to Failing to Basic Due Diligence With Vulnerability Reports, Which Leads to Vulnerabilities Remaining Unfixed

Last May, we looked into a claim from Automattic’s WPScan that a vulnerability in the 400,000+ install WordPress plugin Kadence Blocks had been fixed in its implementation of WordPress blocks. They provided little information and didn’t show any evidence the issue had been resolved. There was the further problem that the changelog for the version they claimed the issue was fixed in had no mention of a security fix. We did find the proof of concept they provided stopped working in that version. But we also found that there was plenty of code related to the issue that was still not properly secured. We confirmed that at least one instance was still vulnerable.

Before warning our customers about that, we attempted to work with the developer, StellarWP, to address that. On the website of their Kadence brand, there is a page on responsible disclosure that starts this way (emphasis ours): [Read more]

7 Aug 2023

Code That Leads to Arbitrary File Upload Vulnerability in StellarWP’s Kadence Blocks Has Been There for 5 Months

A couple of weeks ago, we noted how Wordfence had claimed that a lack of newly introduced vulnerabilities being detected in WordPress plugins was proof that the security of plugins was improving, but it could actually be that detection of newly introduced vulnerabilities isn’t very good. A serious vulnerability that recently became functional in the 300,000+ install plugin Kadence Blocks is further evidence of poor detection of newly introduced vulnerabilities.

The developer of that plugin, StellarWP, has had a terrible security track record despite developing one of the most popular security plugins. Including failing to fix a vulnerability that their security plugin was warning about and failing to implement basic security in another plugin, leading to a zero-day. That makes the issue with Kadence Blocks not all that surprising. [Read more]