CVE-2025-12449

Sažetak

The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services.

Reference

https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/ajax/settings.php#L16
https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/assets.php#L353
https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/classes/abstract-request-handler.php#L486
https://www.wordfence.com/threat-intel/vulnerabilities/id/c10600ae-1ff0-4f12-ae53-39d9342640f4?source=cve

CVSS

Base:	5.4
Impact:	2.5
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Zadnje važnije ažuriranje

07-01-2026 - 12:16

Objavljeno

07-01-2026 - 12:16