Description
Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks maxi-blocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through <= 2.1.0.
Published: 2025-06-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing‑authorization flaw that permits the attacker to modify any "MaxiBlocks" option without a proper permission check. The impact is that a user who can reach the option‑update endpoint is able to alter the plugin’s configuration, thereby granting themselves higher privileges or changing site behavior in a way that was not intended. The description explicitly states the missing authorization, and the identified CWE (CWE-862) confirms a lack of privilege checks in the affected code.

Affected Systems

Christiaan Pieterse’s MaxiBlocks WordPress plugin is affected in all releases from the original version through 2.1.0. Users running any of these versions should determine their installed version and seek a newer release if one is available.

Risk and Exploitability

The CVSS score of 8.8 denotes a high‑severity weakness and the EPSS score of less than 1% indicates that widespread exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Based on the description and typical WordPress plugin access patterns, it is inferred that an authenticated user with a role lower than administrator can reach the option‑update endpoint and perform the privilege escalation; no external attack surface beyond legitimate WordPress access is required.

Generated by OpenCVE AI on May 1, 2026 at 07:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest MaxiBlocks release; vendors usually fix such missing‑authorization bugs in future updates.
  • Restrict the option‑management interface so that only administrator roles can edit or update plugin options, for example by disabling the options page or adding role checks.
  • Monitor the user activity logs for unexpected changes to plugin options or sudden elevation of user capabilities, and audit any recent changes for suspicious activity.

Generated by OpenCVE AI on May 1, 2026 at 07:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17369 Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through 2.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through 2.1.0. Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks maxi-blocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through <= 2.1.0.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 07 Jun 2025 05:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through 2.1.0.
Title WordPress MaxiBlocks plugin <= 2.1.0 - Arbitrary Option Update to Privilege Escalation vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:46.906Z

Reserved: 2025-05-07T10:44:26.562Z

Link: CVE-2025-47601

cve-icon Vulnrichment

Updated: 2025-06-09T15:08:50.527Z

cve-icon NVD

Status : Deferred

Published: 2025-06-07T05:15:24.213

Modified: 2026-04-23T15:30:34.667

Link: CVE-2025-47601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:45:06Z

Weaknesses