Description
Missing Authorization vulnerability in CozyThemes Cozy Blocks cozy-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cozy Blocks: from n/a through <= 2.1.22.
Published: 2025-05-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Cozy Themes’ Cozy Blocks plugin is a missing authorization flaw that allows an attacker to bypass normal access controls and interact with functions that should be reserved for higher‑privileged users. This can lead to unauthorized data manipulation, configuration changes, or other privileged actions, directly affecting the confidentiality, integrity, and availability of the WordPress site. The weakness is classified as CWE‑862, indicating an improper authorization issue.

Affected Systems

The affected product is the Cozy Blocks plugin for WordPress, provided by CozyThemes. Versions up through 2.1.22 are vulnerable. The plugin is typically installed on any WordPress site that has added Cozy Blocks to its set of bits or blocs.

Risk and Exploitability

With a CVSS score of 5.3, the issue is of medium severity. The EPSS score is below 1%, indicating a low probability of exploitation at the current time, and it is not listed in the CISA KEV catalog. The likely attack vector involves a remote attacker using the web interface of a WordPress site, leveraging a user account or possibly an unauthenticated session to reach the missing authorization checks. Exploitation requires the attacker to identify a permitted function that is incorrectly accessible to lower‑privileged users.

Generated by OpenCVE AI on April 30, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cozy Blocks to the latest version that contains the authorization fix
  • Apply role‑based restrictions or WAF rules to block privileged actions for non‑administrator accounts
  • Test the site with a low‑privileged user to confirm that restricted functions are no longer accessible

Generated by OpenCVE AI on April 30, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13836 Missing Authorization vulnerability in CozyThemes Cozy Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cozy Blocks: from n/a through 2.1.22.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in CozyThemes Cozy Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cozy Blocks: from n/a through 2.1.22. Missing Authorization vulnerability in CozyThemes Cozy Blocks cozy-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cozy Blocks: from n/a through <= 2.1.22.
Title WordPress Cozy Blocks <= 2.1.22 - Broken Access Control Vulnerability WordPress Cozy Blocks plugin <= 2.1.22 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0004}

 epss

{'score': 0.00042}

Thu, 08 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in CozyThemes Cozy Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cozy Blocks: from n/a through 2.1.22.
Title WordPress Cozy Blocks <= 2.1.22 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Cozythemes Cozy Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:42.772Z

Reserved: 2025-05-07T09:39:08.090Z

Link: CVE-2025-47485

cve-icon Vulnrichment

Updated: 2025-05-08T16:18:28.338Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:02.780

Modified: 2026-04-23T15:30:18.767

Link: CVE-2025-47485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:45:36Z

Weaknesses