WordPress Plugin Vulnerabilities

VK Blocks < 1.95.0.3 - Missing Authorization to Sensitive Information Exposure

Description

The VK Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.94.2.2 via the page content block. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the content of private posts and pages.

Affects Plugins

Plugin icon
vk-blocks
Fixed in 1.95.0.3

References

CVE
CVE-2024-13635
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc03b3f4-2edb-463b-812b-6a187a7a893c

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nishiv
Verified
No
WPVDB ID
2666a777-2bce-45de-bf67-cc56397f44c5

Timeline

Publicly Published
2025-03-06 (about 1 year ago)
Added
2025-03-11 (about 1 year ago)
Last Updated
2025-03-11 (about 1 year ago)

Other

Published
Title
Published
2022-05-18
Title
JupiterX < 2.0.7 & JupiterX Core < 2.0.7 - Subscriber+ Arbitrary Plugin Deactivation and Settings Update
Published
2023-10-09
Title
Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update
Published
2020-09-28
Title
WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure
Published
2020-12-14
Title
Total Upkeep by BoldGrid < 1.14.10 - Sensitive Data Disclosure (Server IP Address, UID etc)
Published
2024-02-27
Title
WordPress Access Control <= 4.0.13 - Improper Access Control to Sensitive Information Exposure via REST API