Description
The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services.
Published: 2026-01-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Missing authorization checks let authenticated users with Subscriber or higher level edit plugin settings and read sensitive API keys.
Action: Apply Patch
AI Analysis

Impact

The aBlocks WordPress plugin suffers from absent capability checks on several AJAX actions. Authenticated users with a Subscriber role or higher can modify block visibility, maintenance mode, and other settings, and can read third‑party email marketing API keys. This lack of authorization enables the attacker to alter site behaviour and expose confidential configuration information, reflecting CWE‑862.

Affected Systems

All installations of kodezen’s aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder plugin for WordPress up to and including version 2.4.0 are affected. The vulnerability exists across all WordPress sites that have not applied the latest plugin release.

Risk and Exploitability

The CVSS score of 5.4 classifies this as a medium impact vulnerability. The EPSS score of less than 1% suggests a low probability of current exploitation, and the vulnerability is not catalogued in CISA’s KEV list. Because only authenticated access is required, the attack vector is internal; a user who can log in with Subscriber or higher privileges can trigger the vulnerable AJAX calls to read or change settings. No additional network or privilege escalation is required beyond normal authenticated access.

Generated by OpenCVE AI on April 21, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aBlocks to version 2.5.0 or later where the capability checks have been added.
  • If an immediate upgrade is not possible, deactivate the plugin to stop access to the vulnerable AJAX endpoints.
  • If deactivation is not feasible, restrict AJAX endpoint access to administrators by adding custom capability checks or using a security plugin.

Generated by OpenCVE AI on April 21, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Kodezen
Kodezen ablocks
Wordpress
Wordpress wordpress
Vendors & Products Kodezen
Kodezen ablocks
Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 07:30:00 +0000

Type Values Removed Values Added
Description The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services.
Title aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Kodezen Ablocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:47.001Z

Reserved: 2025-10-28T20:24:52.413Z

Link: CVE-2025-12449

cve-icon Vulnrichment

Updated: 2026-01-07T14:50:08.030Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:46.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12449

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses