CVE-2026-3454 in GenerateBlocks Plugininfo

Zusammenfassung

von MITRE • 05.05.2026

The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:|key:}} and {{post_title id:|link:author_email}}.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

Wordfence

Reservieren

02.03.2026

Veröffentlichung

05.05.2026

Moderieren

akzeptiert

Eintrag

VDB-361115

CPE

bereit

CWE

CWE-639 (bestätigt)

CVSS

6.5 (CNA)

EPSS

0.00015

KEV

nein

Aktivitäten

very low

Sektor

Hostingprovider

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-3454
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-3454
CVE Details	https://www.cvedetails.com/cve/CVE-2026-3454/

◂ Zurück Übersicht Weiter ▸

Do you know our Splunk app?

Download it now for free!