CVE-2026-3454

Name of the Vulnerable Software and Affected Versions GenerateBlocks versions prior to 2.2.1

Description The plugin is subject to Insecure Direct Object Reference (IDOR), a flaw where an application provides direct access to objects based on user-supplied input. The issue exists in the '/wp-json/generateblocks/v1/dynamic-tag-replacements' REST endpoint, which fails to perform object-level authorization checks. While the endpoint verifies the edit posts capability, it does not confirm if the user has permission to access the specific post or data referenced by the id parameters. Consequently, authenticated attackers with Contributor-level access or higher can extract sensitive information from arbitrary posts, such as author email addresses and non-protected post meta values, by manipulating dynamic tag payloads.

Recommendations Update to a version later than 2.2.0. Restrict access to the '/wp-json/generateblocks/v1/dynamic-tag-replacements' endpoint to minimize the risk of exploitation.