WordPress Plugin Vulnerabilities

aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification

Description

The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services.

Affects Plugins

Plugin icon
ablocks
No known fix

References

CVE
CVE-2025-12449
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c10600ae-1ff0-4f12-ae53-39d9342640f4

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
mahdi salhi (CaptinSharky01)
Verified
No
WPVDB ID
4508b710-d8f4-4562-80b6-635b640d9e04

Timeline

Publicly Published
2026-01-06 (about 4 months ago)
Added
2026-01-06 (about 4 months ago)
Last Updated
2026-04-15 (about 1 month ago)

Other

Published
Title
Published
2024-04-23
Title
Send PDF for Contact Form 7 < 1.0.2.4 - Missing Authorization
Published
2025-04-17
Title
Vitepos < 3.1.8 - Missing Authorization
Published
2025-02-23
Title
Market Exporter < 2.0.22 - Missing Authorization
Published
2024-04-29
Title
RomethemeKit For Elementor < 1.4.2 - Missing Authorization
Published
2026-01-27
Title
Directorist < 8.6.7 - Missing Authorization