Mahdi Salhi

**Name of the Vulnerable Software and Affected Versions** aBlocks – WordPress Gutenberg Blocks plugin versions prior to 2.4.1 **Description** The aBlocks – WordPress Gutenberg Blocks plugin for WordPress has a flaw that allows unauthorized modification of data and disclosure of sensitive information. This is due to missing capability checks on multiple AJAX actions. Authenticated attackers with subscriber level access or higher can read plugin settings, including block visibility and maintenance mode configuration. They can also access sensitive configuration data, such as API keys for email marketing services. The `API keys` are particularly vulnerable to exposure. **Recommendations** Update to version 2.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Custom Post Type UI plugin for WordPress versions prior to 1.19.0 **Description** The Custom Post Type UI plugin for WordPress is susceptible to authorization bypass. The plugin does not properly verify user capabilities when executing the `cptui process post type` function. This allows authenticated attackers with subscriber-level access or higher to add, edit, or delete custom post types under specific circumstances. **Recommendations** Update the Custom Post Type UI plugin to version 1.19.0 or later.