WordPress Plugin Vulnerabilities

The Plus Blocks for Block Editor | Gutenberg < 3.2.6 - Missing Authorization

Description

The The Plus Blocks for Block Editor | Gutenberg plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the Tp_f_delete_transient() function in versions up to, and including, 3.2.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete transients.

Affects Plugins

Plugin icon
the-plus-addons-for-block-editor
Fixed in 3.2.6

References

CVE
CVE-2024-33572
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7d6c19e2-b280-4937-8f66-eac1da3cd365

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
13dc033f-4db5-4aa3-b0df-63c2b41791fd

Timeline

Publicly Published
2024-04-25 (about 2 years ago)
Added
2024-05-01 (about 2 years ago)
Last Updated
2024-05-01 (about 2 years ago)

Other

Published
Title
Published
2026-02-12
Title
Ashe < 2.268 - Missing Authorization
Published
2026-02-11
Title
Gutenberg Blocks by Kadence Blocks < 3.6.0 - Missing Authorization
Published
2025-03-21
Title
ProfileGrid – User Profiles, Groups and Communities < 5.9.4.5 - Missing Authorinzation to Authenticated (Subscriber+) Join Group Requests Management
Published
2023-12-07
Title
Custom Login < 4.1.1 - Subscriber+ Unauthorised Action
Published
2025-07-30
Title
HT Mega < 2.9.1 - Missing Authorization