The ZoloBlocks plugin contains a missing authorization flaw that allows attackers to perform actions beyond their intended privileges. This weakness creates an opportunity for unauthorized users to manipulate site content, settings, or configuration, potentially leading to data exposure, defacement, or further compromise. The vulnerability is rated as a moderate incident with a CVSS score of 5.3, indicating that it may enable non‑privileged attackers to affect the integrity of the site.

WordPress installations that utilize the bdthemes ZoloBlocks plugin version 2.3.11 or earlier are affected. The issue spans from the earliest versions up to and including 2.3.11, with no further details on subsequent releases. Sites that cannot upgrade should consider disabling the plugin until a fix is available.

The lack of proper access control suggests that the vulnerability could be triggered by any authenticated user or, depending on the plugin’s exposed endpoints, potentially by unauthenticated traffic. The EPSS score of less than 1% indicates that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the plugin’s ability to modify site content without proper checks represents a tangible risk, especially for high‑value or public websites.