CVE-2025-14360

Blockons <= 1.2.15 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Blockons plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.15. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.15
PublishedJanuary 8, 2026
Last updatedJanuary 13, 2026
Affected pluginblockons
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-14360 (Blockons Missing Authorization) ## 1. Vulnerability Summary The **Blockons** plugin (versions <= 1.2.15) contains a missing authorization vulnerability. A specific function, likely registered as an AJAX handler or a REST API endpoint, performs a sensiti…

Show full research plan

Exploitation Research Plan: CVE-2025-14360 (Blockons Missing Authorization)

1. Vulnerability Summary

The Blockons plugin (versions <= 1.2.15) contains a missing authorization vulnerability. A specific function, likely registered as an AJAX handler or a REST API endpoint, performs a sensitive action without verifying the user's capabilities (e.g., via current_user_can()). This allows unauthenticated attackers to trigger the function by sending a crafted request to admin-ajax.php or the REST API.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (inferred)
  • Action: Likely related to block settings, data processing, or an administrative task (inferred).
  • Authentication: Unauthenticated (as per CVSS vector PR:N).
  • Preconditions: The plugin must be active. If the function requires a nonce, it must be exposed on the frontend.

3. Code Flow (Inferred)

  1. Entry Point: The attacker sends a POST request to admin-ajax.php with a specific action parameter.
  2. Hook Registration: The plugin registers the action using add_action('wp_ajax_nopriv_{action}', ...) or add_action('wp_ajax_{action}', ...).
  3. Vulnerable Function: The callback function is executed.
  4. Missing Check: The function fails to call current_user_can('manage_options') (or a similar check) before proceeding with the logic (e.g., updating options, sending emails, or modifying database entries).
  5. Sink: An unauthorized state change occurs (e.g., update_option(), wp_insert_post(), or wp_mail()).

4. Nonce Acquisition Strategy

If the function uses check_ajax_referer() or wp_verify_nonce(), the nonce must be retrieved from the frontend.

  1. Identify the Action: Search the plugin code for the vulnerable AJAX action.
    grep -rn "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/blockons/
    
  2. Locate Nonce Exposure: Find where the nonce is localized for the frontend.
    grep -rn "wp_localize_script" /var/www/html/wp-content/plugins/blockons/
    
  3. Identify the Shortcode: Determine which block/shortcode enqueues the script containing the nonce.
  4. Create a Trigger Page:
    wp post create --post_type=page --post_status=publish --post_title="Exploit Page" --post_content='[blockons_shortcode_found_above]'
    
  5. Extract Nonce via Browser:
    • Navigate to the page.
    • Use browser_eval to extract the nonce from the JS object (e.g., window.blockons_vars?.nonce).

5. Exploitation Strategy

Step 1: Reconnaissance

Find the unauthenticated AJAX action and its corresponding function.

grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/blockons/

Note: If multiple actions exist, look for ones involving settings, email, or data management.

Step 2: Extract Parameters

Analyze the function body to find required parameters (e.g., $_POST['config'], $_POST['data']).

Step 3: Craft and Send Payload

Use the http_request tool to trigger the action.
Example Request:

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action={vulnerable_action}&nonce={extracted_nonce}&param1=malicious_value

6. Test Data Setup

  1. Install Plugin:
    wp plugin install blockons --version=1.2.15 --activate
    
  2. Configuration: (If needed) Configure a block in the editor to ensure its AJAX functionality is active.

7. Expected Results

  • The server responds with a 200 OK or a JSON success message (e.g., {"success": true}).
  • The unauthorized action is performed (e.g., a setting is changed in the wp_options table).

8. Verification Steps

After the HTTP request, verify the impact using WP-CLI:

# Check if a specific option was changed
wp option get {option_name}

# Check for new posts or data
wp post list --post_type={type}

9. Alternative Approaches

  • REST API: If no AJAX actions are unauthenticated, check for REST routes registered with permission_callback set to __return_true.
    grep -rn "register_rest_route" /var/www/html/wp-content/plugins/blockons/
    
  • Admin Init Bypass: Look for functions hooked to admin_init that process $_POST data without a current_user_can() check. These can often be triggered by any logged-in user or sometimes even unauthenticated users visiting admin-ajax.php.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Blockons plugin for WordPress is vulnerable to unauthorized access in versions up to and including 1.2.15 due to a missing capability check on a sensitive function. This allows unauthenticated attackers to trigger administrative or sensitive actions by sending crafted requests to the plugin's AJAX or REST API endpoints.

Exploit Outline

1. Identify the vulnerable unauthenticated AJAX action by searching the plugin's source for hooks registered via 'wp_ajax_nopriv_'. 2. Locate the JavaScript variable where the plugin exposes an AJAX nonce to the frontend (typically via 'wp_localize_script'). 3. Visit a public page where the Blockons block or shortcode is active to extract the valid nonce from the page source. 4. Construct a POST request to '/wp-admin/admin-ajax.php' containing the 'action' parameter associated with the vulnerable function, the extracted 'nonce', and any required data parameters identified in the function body. 5. Send the request to perform the unauthorized action, such as modifying plugin configurations or manipulating database entries.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.