What the vulnerability does
01Description
The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services.
Explanation of Vulnerability in Simple Terms
02Summary
aBlocks contains an authorization flaw that allows authenticated users to access or modify data they should not have permission to view or change. An attacker with a low-privilege account can read or alter sensitive information within the plugin. The vulnerability affects versions up to 2.4.0 and requires a valid user login to exploit.
What an attacker can do
03Attacker Capabilities
Read or modify data belonging to other users or restricted areas of the site.
Potential impact on your site
04Site Impact
User data and site content may be exposed to or altered by low-privilege accounts without proper access controls.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level privileges on the WordPress site.
Key dates
06Disclosure timeline
January 7, 2026
CVE published
April 8, 2026
Record updated