Responsive Blocks – Page Builder for Blocks & Patterns <= 2.2.0 - Missing Authorization
Description
The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.2.0What Changed in the Fix
Changes introduced in v2.2.1
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-32543 ## 1. Vulnerability Summary The **Responsive Blocks – Page Builder for Blocks & Patterns** plugin (<= 2.2.0) is vulnerable to **Missing Authorization** on functions hooked to `admin_init`. Specifically, several functions responsible for dismissing or mo…
Show full research plan
Exploitation Research Plan - CVE-2026-32543
1. Vulnerability Summary
The Responsive Blocks – Page Builder for Blocks & Patterns plugin (<= 2.2.0) is vulnerable to Missing Authorization on functions hooked to admin_init. Specifically, several functions responsible for dismissing or modifying administrative notices do not implement capability checks (current_user_can) or nonce verification. Because admin_init is triggered for every request to /wp-admin/admin-ajax.php (even for unauthenticated users), an attacker can perform unauthorized state changes by sending crafted GET requests.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(or any admin page) - Action Hook:
admin_init - Vulnerable Functions:
rba_notice_dismissed,rba_notice_change_timeout, andrba_notice_cross_dismiss. - Payload Parameters:
rba_notice_dismissed,rba_notice_timeout, orrba_notice_cross_dismiss. - Authentication: None required (
PR:N). - Preconditions: The plugin must be active.
3. Code Flow
- In
includes/class-responsive-block-editor-addons.php, the constructor registers several hooks toadmin_init:add_action(
Summary
The Responsive Blocks plugin for WordPress is vulnerable to unauthorized access because several administrative notice management functions are hooked to admin_init without capability checks or nonce verification. This allows unauthenticated attackers to dismiss or modify administrator-level notices by sending crafted requests to admin-ajax.php, which triggers the admin_init hook even for non-logged-in users.
Vulnerable Code
// includes/class-responsive-block-editor-addons.php line 189 add_action( 'admin_init', array( $this, 'rba_notice_dismissed' ) ); add_action( 'admin_init', array( $this, 'rba_notice_change_timeout' ) ); add_action( 'admin_init', array( $this, 'rba_notice_cross_dismiss' ) );
Security Fix
@@ -1 +1 @@ -<?php return array('dependencies' => array('jquery', 'lodash', 'moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-dom-ready', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-keycodes', 'wp-media-utils', 'wp-polyfill', 'wp-primitives', 'wp-url'), 'version' => 'c0287f04525a3d829aadc0adf8987c18'); \ No newline at end of file +<?php return array('dependencies' => array('jquery', 'lodash', 'moment', 'react', 'react-dom', 'wp-api-fetch', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-dom-ready', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-keycodes', 'wp-media-utils', 'wp-polyfill', 'wp-primitives', 'wp-url'), 'version' => '038a6e3276a756d33fbcf360a37f4806'); \ No newline at end of file @@ -20,7 +20,7 @@ ... (truncated)
Exploit Outline
The exploit target is the admin_init hook, which executes on every request to /wp-admin/admin-ajax.php, regardless of authentication status. An attacker sends a crafted GET or POST request to this endpoint containing specific parameters used by the plugin to track administrative notice states, such as 'rba_notice_dismissed', 'rba_notice_timeout', or 'rba_notice_cross_dismiss'. Because the functions processing these parameters (rba_notice_dismissed, rba_notice_change_timeout, and rba_notice_cross_dismiss) do not check for user capabilities (current_user_can) or verify a cryptographic nonce, the request successfully modifies the site's configuration options (e.g., updating 'rbea_review_notice_dismissed') without authorization.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.