Description
The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}.
Problem types
CWE-639 Authorization Bypass Through User-Controlled Key
Product status
Any version
Timeline
| 2026-03-02: | Vendor Notified |
| 2026-05-04: | Disclosed |
Credits
Supanat Konprom
References
www.wordfence.com/...-e016-4f8d-920c-d58c62edb2a0?source=cve
plugins.trac.wordpress.org/...ic-tags/class-dynamic-tags.php
plugins.trac.wordpress.org/...ic-tags/class-dynamic-tags.php
plugins.trac.wordpress.org/...lass-dynamic-tag-callbacks.php
plugins.trac.wordpress.org/...lass-dynamic-tag-callbacks.php
plugins.trac.wordpress.org/...ncludes/class-meta-handler.php
plugins.trac.wordpress.org/...ic-tags/class-dynamic-tags.php
plugins.trac.wordpress.org/...%2Ftrunk&sfp_email=&sfph_mail=