GenerateBlocks < 2.0.0 – Authenticated (Contributor+) Sensitive Information Exposure via 'get_image_description' | CVE 2024-13546 | Plugin Vulnerabilities

Description

The GenerateBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.1 via the 'get_image_description' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the content of private, draft, and scheduled posts and pages.

Affects Plugins

Fixed in 2.0.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f6f2a8c-ecd9-482c-a32e-0c3d7a7e4ec4

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Nishiv

Verified

No

WPVDB ID

e476d56a-ed7a-4eb8-a950-a60371ad6993

Timeline

Publicly Published

2025-02-28 (about 1 year ago)

Added

2025-02-28 (about 1 year ago)

Last Updated

2025-03-01 (about 1 year ago)

Other

Published

Title

Published

2025-04-01

Title

Srbtranslatin <= 3.2.0 - Unauthenticated Sensitive Information Exposure

Published

2026-01-26

Title

FullCalendar <= 1.6 - Unauthenticated Information Exposure

Published

2025-12-15

Title

Pixel Manager for WooCommerce < 1.52.0 - Unauthenticated Information Exposure

Published

2024-07-26

Title

Add Admin JavaScript <= 2.0 - Unauthenticated Full Path Dislcosure

Published

2023-11-28

Title

BigCommerce <= 5.1.2 - Unauthenticated Sensitive Information Exposure