Home

Description

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' function in versions 1.0.4 to 1.2.1. This makes it possible for unauthenticated attackers to read plugin options and update any option with a key name ending in '_value'.

PUBLISHED Reserved 2025-03-20 | Published 2025-04-08 | Updated 2025-04-08 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

1.0.4 (semver)
affected

Timeline

2025-04-07:Disclosed

Credits

Kenneth Dunn finder

References

www.wordfence.com/...-3dfc-4bbd-834a-1c04d9e22ebf?source=cve

plugins.trac.wordpress.org/...-blocks/trunk/inc/function.php

plugins.trac.wordpress.org/...-blocks/trunk/inc/function.php

plugins.trac.wordpress.org/...-blocks/trunk/inc/function.php

plugins.trac.wordpress.org/...-blocks/trunk/inc/function.php

plugins.trac.wordpress.org/changeset/3263702/

cve.org (CVE-2025-2568)

nvd.nist.gov (CVE-2025-2568)

Download JSON