CVE-2025-11879

Published: Oct 25, 2025Modified: Oct 27, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: security@wordfence.com (Secondary)

Description

The GenerateBlocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_option_rest' function in all versions up to, and including, 2.1.1. This makes it possible for authenticated attackers, with contributor level access and above, to read arbitrary WordPress options, including sensitive information such as SMTP credentials, API keys, and other data stored by other plugins.

Related CWEs

CWE-285

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.1.1/includes/class-meta-handler.php#L19

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.1.1/includes/class-meta-handler.php#L356

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.1.1/includes/class-meta-handler.php#L78

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/5f1ba1c7-de88-4070-a4ec-fbe4a0c30920?source=cve

Source: security@wordfence.com

Timeline

No history available yet.