CVE-2024-1095 in Build & Control Block Patterns Plugin
Summary
by MITRE • 03/05/2024
The Build & Control Block Patterns – Boost up Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the settings_export() function in all versions up to, and including, 1.3.5.4. This makes it possible for unauthenticated attackers to export the plugin's settings.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-1095 affects the Build & Control Block Patterns plugin for WordPress, specifically targeting versions up to and including 1.3.5.4. This issue represents a critical authorization flaw that undermines the security posture of WordPress installations relying on this plugin. The vulnerability stems from insufficient access controls within the plugin's codebase, creating a pathway for unauthorized entities to access sensitive configuration data. The affected plugin is designed to enhance the Gutenberg editor experience through customizable block patterns and control mechanisms, making it a popular choice among WordPress users seeking enhanced content creation capabilities.
The technical flaw manifests in the settings_export() function which lacks proper capability verification before allowing data export operations. This function should require administrative privileges or specific user roles to execute, but instead operates without adequate authorization checks. The missing capability check creates a direct attack vector where unauthenticated users can invoke the export functionality and retrieve plugin configuration settings. This represents a clear violation of the principle of least privilege and demonstrates poor access control implementation within the WordPress plugin architecture. The vulnerability aligns with CWE-284, which specifically addresses improper access control issues in software systems.
The operational impact of this vulnerability extends beyond simple data exposure, as the exported plugin settings may contain sensitive configuration parameters, user preferences, and potentially identifying information about the website's structure and implementation choices. Attackers could leverage this information to craft more sophisticated attacks targeting other components of the WordPress ecosystem. The unauthenticated nature of the exploit means that any visitor to the website could potentially access these settings, making the vulnerability particularly dangerous in publicly accessible environments. This weakness creates opportunities for reconnaissance activities that could lead to further exploitation attempts within the broader WordPress infrastructure.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the missing capability check. System administrators should ensure that all WordPress installations are running patched versions of the plugin, as the vulnerability affects all versions up to 1.3.5.4. Additionally, implementing network-level restrictions and monitoring for unusual export activities can help detect potential exploitation attempts. The remediation process should include thorough review of plugin permissions and access controls, ensuring that all administrative functions require appropriate authentication and authorization. Organizations should also consider implementing web application firewalls to monitor and block suspicious export requests. This vulnerability highlights the importance of regular security audits and proper capability validation within WordPress plugins, as outlined in the ATT&CK framework's privileged access techniques. The issue serves as a reminder that even seemingly minor functionality can create significant security risks when proper access controls are not implemented.