This vulnerability permits an attacker to read sensitive information embedded within the data sent by the GenerateBlocks plugin. The exposed data can include credentials, configuration details, or other confidential content, leaking it to unauthorized parties. The weakness is a classic input handling flaw identified as CWE‑201, where sensitive data is inadvertently included in outputs. The impact is primarily a breach of confidentiality, as attackers could compromise personal or corporate secrets without needing further exploitation.

The vulnerability affects the WordPress GenerateBlocks plugin provided by Tom:GenerateBlocks. All plugin releases from the earliest version up through 2.1.0 are vulnerable. Users running any version of the plugin compatible with WordPress up to and including 2.1.0 need to address the issue.

The CVSS score for this flaw is 6.5, indicating moderate severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. An attacker can likely exploit the problem remotely by delivering a request to a WordPress site that uses the plugin, as the data is transmitted over the network. Because the vulnerability involves data exposure rather than code execution or denial of service, the attack vector does not require local compromise; it can be performed from an external network if the site is publicly accessible. The lack of public exploitation data suggests that the threat remains theoretical, but the moderate CVSS and the sensitivity of the exposed data warrant prompt remediation.