CVE-2023-2086 MEDIUM

CVE-2023-2086: Essential Blocks <= 4.0.6 - Missing Authorization via template_count

Vendor Wpdevteam
Product Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns
Weakness CWE-862 · Missing authorization
Published June 9, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the template_count function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to obtain plugin template information. While a nonce check is present, it is only executed when a nonce is provided. Not providing a nonce results in the nonce verification to be skipped. There is no capability check.

Key dates

02Disclosure timeline

June 9, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-33588 WordPress basepress plugin <= 2.16.1 - Broken Access Control vulnerability CVE-2025-12975 CTX Feed – WooCommerce Product Feed Manager <= 6.6.11 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Plugin Installation CVE-2026-26979 Discourse: TL4 users are able to change status of restricted topics CVE-2025-66526 WordPress Tablesome plugin <= 1.1.34 - Broken Access Control vulnerability CVE-2025-47463 WordPress Stock Locations for WooCommerce plugin <= 2.8.6 - Broken Access Control Vulnerability