Description
The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}.
Published: 2026-05-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GenerateBlocks plugin contains a missing object‑level authorization check on its dynamic tag replacement REST endpoint. The endpoint verifies only that a user can edit posts but does not confirm that the user has permission to view the specific post or its metadata referenced by attacker‑controlled identifiers. This flaw allows an authenticated user with the Contributor role or higher to read sensitive data such as author email addresses and non‑protected post meta values by crafting dynamic tag payloads like {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}.

Affected Systems

Any WordPress site that has the GenerateBlocks plugin installed in a version through 2.2.0 will be affected. Sites using newer releases beyond 2.2.0 are not impacted as described. The vulnerability applies to any authenticated user with Contributor or higher capability, regardless of whether they own the target post.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, and the lack of an EPSS score suggests limited publicly known exploitation activity. The vulnerability is not listed in CISA’s KEV catalog. An attacker must be logged into the site with Contributor‑level access and then perform a REST API call to /wp-json/generateblocks/v1/dynamic-tag-replacements, framing a payload that references another post’s data. Because the endpoint relies only on a generic capability check, the exploit is straightforward for authenticated users and does not require elevated privileges or system compromise.

Generated by OpenCVE AI on May 5, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GenerateBlocks plugin to the newest available version that removes the missing authorization check.
  • If an immediate upgrade is not possible, restrict access to the /wp-json/generateblocks/v1/dynamic-tag-replacements endpoint to Administrators only by adding a capability check or by disabling the endpoint for non‑administrator roles via a custom code snippet.
  • Use a role‑management or REST‑API‑security plugin to enforce that only users with explicit permission to view a post can reference that post in dynamic tag replacements, thereby reintroducing proper object‑level access control.

Generated by OpenCVE AI on May 5, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Edge22
Edge22 generateblocks
Wordpress
Wordpress wordpress
Vendors & Products Edge22
Edge22 generateblocks
Wordpress
Wordpress wordpress

Tue, 05 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}.
Title GenerateBlocks <= 2.2.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Dynamic Tag Replacements
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Edge22 Generateblocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-05T12:59:24.734Z

Reserved: 2026-03-02T18:19:27.487Z

Link: CVE-2026-3454

cve-icon Vulnrichment

Updated: 2026-05-05T12:59:20.348Z

cve-icon NVD

Status : Deferred

Published: 2026-05-05T07:16:00.277

Modified: 2026-05-05T19:08:20.090

Link: CVE-2026-3454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T11:00:06Z

Weaknesses