Description
The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services.
Published: 2025-12-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The Gutenberg Essential Blocks plugin for WordPress contains missing or incorrect capability checks in three callback functions—get_instagram_access_token_callback, google_map_api_key_save_callback, and get_siteinfo—that allow any authenticated user with Author-level privileges or higher to read API keys that have been configured for external services. This vulnerability enables the disclosure of sensitive credentials, while it does not permit code execution or modification of site content. The weakness is documented as CWE‑862, a missing or incorrect authorization flaw.

Affected Systems

WordPress sites that use the Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin, specifically any installation running version 5.7.2 or earlier. Versions after 5.7.2 are not impacted by this issue as the patch removes the faulty capability checks.

Risk and Exploitability

The CVSS score of 4.3 indicates low severity according to CVSS mapping; the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires that an attacker already holds Author or higher privileges within the WordPress site, so the attack vector is formulated as an in-the-site privilege misuse. While the exposure is limited to API key disclosure, the impact on confidentiality can be significant if the credentials control critical external services.

Generated by OpenCVE AI on April 22, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Gutenberg Essential Blocks plugin to version 5.7.3 or newer, which corrects the missing capability checks.
  • If an update is not immediately possible, remove or disable the Google Map, Instagram, and Open Verse integrations so that the affected callbacks are no longer accessible, and delete any exposed API keys from the database.
  • Restrict or remove Author‑level privileges from users who do not require access to the plugin’s settings, ensuring that only administrators have visibility into sensitive configuration data.

Generated by OpenCVE AI on April 22, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Wed, 17 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam gutenberg Essential Blocks
Vendors & Products Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam gutenberg Essential Blocks

Wed, 17 Dec 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services.
Title Essential Blocks <= 5.7.2 - Missing Authorization To Authenticated (Author+) Information Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpdevteam Gutenberg Essential Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:06.839Z

Reserved: 2025-10-06T13:48:08.856Z

Link: CVE-2025-11369

cve-icon Vulnrichment

Updated: 2025-12-17T14:49:34.384Z

cve-icon NVD

Status : Deferred

Published: 2025-12-17T02:16:00.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:00:18Z

Weaknesses