Description
The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update plugin settings including the theme configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Settings Modification
Action: Immediate Patch
AI Analysis

Impact

The Coding Blocks plugin for WordPress is vulnerable to CSRF because it omits nonce validation when updating settings. An attacker who tricks a site administrator into clicking a crafted link can change any plugin configuration, including theme parameters, without authentication. This flaw corresponds to CWE‑352 and enables an unauthenticated user to modify settings that may influence the site’s appearance and behavior.

Affected Systems

WordPress sites running the Coding Blocks plugin version 1.1.0 or earlier from the vendor Octagonsimon. All affected installations are susceptible to the CSRF flaw until the plugin is upgraded beyond 1.1.0.

Risk and Exploitability

The CVSS score of 4.3 rates the flaw as medium severity, while the EPSS score of less than 1% indicates a very low probability of exploitation. The flaw is not listed in CISA’s KEV catalog. The likely attack requires an authenticated administrator to click a malicious link; thus, active attackers need only social engineering rather than technical compromise. Even so, site owners should treat the vulnerability as a risk to configuration integrity.

Generated by OpenCVE AI on April 21, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Coding Blocks to the latest version that includes proper nonce validation.
  • Verify that the settings update pages enforce CSRF protection by requiring a valid nonce.
  • Restrict access to the plugin settings to trusted administrators and avoid sending configuration URLs to untrusted users.
  • Consider temporarily disabling the plugin or removing it until an update is applied if immediate risk exists.

Generated by OpenCVE AI on April 21, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update plugin settings including the theme configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Coding Blocks <= 1.1.0 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:59.991Z

Reserved: 2025-12-05T20:35:29.484Z

Link: CVE-2025-14158

cve-icon Vulnrichment

Updated: 2025-12-15T18:00:47.667Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:48.380

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14158

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:45:16Z

Weaknesses