Description
The GenerateBlocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_option_rest' function in all versions up to, and including, 2.1.1. This makes it possible for authenticated attackers, with contributor level access and above, to read arbitrary WordPress options, including sensitive information such as SMTP credentials, API keys, and other data stored by other plugins.
Published: 2025-10-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in an improperly performed authorization check inside the GenerateBlocks plugin for WordPress. A missing capability test on the get_option_rest function allows authenticated users who possess Contributor or higher roles to read any WordPress option value via the REST API. This can expose sensitive data such as SMTP credentials, API keys, and other configuration values stored by WordPress or other plugins. The weakness is classified as CWE-285 (Improper Authorization).

Affected Systems

All instances of the GenerateBlocks WordPress plugin up to and including version 2.1.1 are affected. Any WordPress site that has installed this plugin version is at risk, regardless of theme or other plugins. The issue does not affect newer releases beyond 2.1.1. The impact is limited to sites running the vulnerable plugin version.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests a very low likelihood that this vulnerability will be actively exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have a valid WordPress account with Contributor or higher privileges. Once authenticated, the attacker can issue a REST request to the get_option_rest endpoint and retrieve arbitrary option data, including potentially confidential credentials. The lack of a mandatory ability check is the only identified prerequisite for exploitation.

Generated by OpenCVE AI on April 22, 2026 at 12:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GenerateBlocks to the latest version that includes the missing capability check.
  • If an upgrade cannot be performed immediately, add a manual capability check to the get_option_rest function or block the endpoint for non-administrator roles.
  • Rotate all potentially exposed credentials (SMTP, API keys, etc.) that could have been read by compromised user accounts.
  • Consider restricting the REST API or implementing additional access controls to limit exposure to sensitive options.

Generated by OpenCVE AI on April 22, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Generateblocks
Generateblocks generateblocks
Wordpress
Wordpress wordpress
Vendors & Products Generateblocks
Generateblocks generateblocks
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The GenerateBlocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_option_rest' function in all versions up to, and including, 2.1.1. This makes it possible for authenticated attackers, with contributor level access and above, to read arbitrary WordPress options, including sensitive information such as SMTP credentials, API keys, and other data stored by other plugins.
Title GenerateBlocks <= 2.1.1 - Improper Authorization to Authenticated (Contributor+) Arbitrary Options Disclosure
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Generateblocks Generateblocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:17.656Z

Reserved: 2025-10-16T17:39:33.643Z

Link: CVE-2025-11879

cve-icon Vulnrichment

Updated: 2025-10-27T15:51:31.634Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T06:15:35.490

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:45:17Z

Weaknesses