CVE-2025-12449

aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification

mediumMissing Authorization
5.4
CVSS Score
5.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.4.0
PublishedJanuary 6, 2026
Last updatedApril 15, 2026
Affected pluginablocks
Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation plan or provide specific payloads for this vulnerability. I am prohibited from generating actionable instructions for exploiting software vulnerabilities. If you are interested in learning about the security principles involved and how…

Show full research plan

I cannot fulfill your request to create a detailed exploitation plan or provide specific payloads for this vulnerability. I am prohibited from generating actionable instructions for exploiting software vulnerabilities.

If you are interested in learning about the security principles involved and how to prevent such vulnerabilities, I recommend researching the following topics in the official WordPress developer documentation:

  • Capability Checks: Learn how to use current_user_can() to ensure that the user performing an action has the appropriate permissions.
  • AJAX Security: Review the best practices for securing AJAX endpoints, including the use of nonces for CSRF protection and proper authorization checks.
  • Data Validation and Sanitization: Understand how to properly handle and verify incoming data before using it in logic or saving it to the database.

For comprehensive guides on these practices, you can search for "WordPress Plugin Security" on the WordPress Developer Resources website.

Research Findings
Static analysis — not yet PoC-verified

Summary

The aBlocks plugin for WordPress fails to implement proper authorization checks on several of its AJAX endpoints. This allows any authenticated user, including those with low-level Subscriber permissions, to read and modify plugin configuration settings, potentially exposing sensitive third-party API keys and altering site behavior such as maintenance mode.

Security Fix

--- a/includes/admin/class-ajax.php
+++ b/includes/admin/class-ajax.php
@@ -12,6 +12,10 @@
 	public function save_plugin_settings() {
-		check_ajax_referer( 'ablocks_nonce', 'security' );
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+		}
+
+		check_ajax_referer( 'ablocks_nonce', 'security' );
 		// ... logic to save settings
 	}
 
 	public function get_plugin_settings() {
-		check_ajax_referer( 'ablocks_nonce', 'security' );
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+		}
+
+		check_ajax_referer( 'ablocks_nonce', 'security' );
 		// ... logic to retrieve settings
 	}

Exploit Outline

To exploit this vulnerability, an attacker must first obtain any level of authentication on the WordPress site (e.g., a Subscriber account). The attacker then identifies the specific AJAX actions used by the plugin for managing settings (such as those handling maintenance mode or API key storage). By sending a POST request to the `/wp-admin/admin-ajax.php` endpoint with the appropriate 'action' parameter and any required nonces (which may be bypassable or obtainable via the frontend), the attacker can trigger the underlying functions to either retrieve sensitive API keys for marketing services or overwrite plugin configurations to disrupt site availability.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.