CVE-2025-12512

Name of the Vulnerable Software and Affected Versions GenerateBlocks plugin for WordPress versions through 2.1.2

Description The GenerateBlocks plugin for WordPress has an information exposure issue because of inadequate object-level authorization checks. The plugin registers REST API routes under generateblocks/v1/meta/ that use current user can('edit posts') for access control, which is accessible to low-privileged roles like Contributor. These handlers accept arbitrary entity IDs and meta keys, returning requested metadata with limited protection for password-like keys. The lack of object-level authorization allows attackers to retrieve personally identifiable information (PII) and sensitive data of other users, including administrator accounts, by querying user meta keys via the get user meta rest function. This could enable targeted phishing, account takeover, and privacy breaches, particularly in WordPress and WooCommerce environments where user meta stores names, email addresses, phone numbers, and addresses.

Recommendations Versions prior to and including 2.1.2 are affected. Update to a newer version to address this vulnerability.