WordPress Plugin Vulnerabilities

Cozy Blocks < 2.1.23 - Missing Authorization

Description

The Cozy Blocks – Page Builder for Gutenberg & Site Editor with Post Blocks, WooCommerce Blocks, Magazine Blocks & WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.1.22. This makes it possible for unauthenticated attackers to get post details.

Affects Plugins

Plugin icon
cozy-addons
Fixed in 2.1.23

References

CVE
CVE-2025-47485
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/524715f3-0016-4008-ba41-4ba60899ab88

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Marek Mikita
Verified
No
WPVDB ID
ec6926d2-9ffc-4325-931e-2091b2498a02

Timeline

Publicly Published
2025-05-07 (about 1 year ago)
Added
2025-05-12 (about 1 year ago)
Last Updated
2025-05-12 (about 1 year ago)

Other

Published
Title
Published
2026-02-18
Title
Book Landing Page < 1.2.8 - Missing Authorization
Published
2023-10-19
Title
WP EXtra < 6.3 - Missing Authorization to Export Settings
Published
2026-04-23
Title
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services < 7.9.9 - Missing Authorization
Published
2022-11-16
Title
Donation Button <= 4.0.0 - Subscriber+ Broken Access Control leading to SMS Spam
Published
2025-01-13
Title
W3 Total Cache < 2.8.2 - Unauthenticated Plugin Deactivation and Extensions Activation/Deactivation