WordPress Plugin Vulnerabilities

GenerateBlocks < 2.1.2 - Contributor+ Arbitrary Options Disclosure

Description

The plugin is vulnerable to unauthorized access of data due to a missing capability check on the 'get_option_rest' function. This makes it possible for authenticated attackers, with contributor level access and above, to read arbitrary WordPress options, including sensitive information such as SMTP credentials, API keys, and other data stored by other plugins.

Affects Plugins

Plugin icon
generateblocks
Fixed in 2.1.2

References

CVE
CVE-2025-11879
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5f1ba1c7-de88-4070-a4ec-fbe4a0c30920

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Lucas Montes (Nirox)
Verified
No
WPVDB ID
8e8d83ee-1171-45f0-9a24-ed148e4b4a6f

Timeline

Publicly Published
2025-10-24 (about 6 months ago)
Added
2025-10-27 (about 6 months ago)
Last Updated
2025-10-27 (about 6 months ago)

Other

Published
Title
Published
2023-11-03
Title
Simple Job Board < 2.10.6 - Missing Authorization
Published
2025-01-16
Title
Interactive Page Hierarchy <= 1.0.1 - Missing Authorization
Published
2024-03-28
Title
WP Hotel Booking < 2.0.9.3 - Missing Authorization
Published
2026-02-10
Title
JW Player for WordPress <= 2.3.7 - Missing Authorization
Published
2023-12-26
Title
LA-Studio Element Kit for Elementor < 1.1.6 - Missing Authorization