Essential Blocks < 5.7.3 – Missing Authorization To Authenticated (Author+) Information Disclosure | CVE 2025-11369 | Plugin Vulnerabilities

Description

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services.

Affects Plugins

essential-blocks

Fixed in 5.7.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7e5b1e90-53f7-4afc-9544-c36afe1ee813

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

af64d0d6-2dfc-4f14-b609-5f4bb2a1e481

Timeline

Publicly Published

2025-12-16 (about 4 months ago)

Added

2025-12-16 (about 4 months ago)

Last Updated

2026-02-11 (about 3 months ago)

Other

Published

Title

Published

2026-02-18

Title

Envo Extra < 1.9.14 - Missing Authorization

Published

2026-03-02

Title

VW Portfolio < 1.3.4 - Missing Authorization

Published

2025-03-03

Title

Newscrunch < 1.8.4.1 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2025-04-01

Title

Pin Generator < 2.0.1 - Missing Authorization

Published

2024-11-01

Title

Otter - Gutenberg Block < 3.0.4 - Missing Authorization