CVE-2025-26871
Published: 25 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26871 is a missing authorization vulnerability (CWE-862) in the Essential Blocks for Gutenberg WordPress plugin by WPDeveloper. The issue stems from exploiting incorrectly configured access control security levels and affects all versions of the plugin from n/a through 4.8.3. It has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, and low privilege requirements.
A low-privileged authenticated attacker, such as a WordPress user with contributor or similar access, can exploit this vulnerability remotely without user interaction. Exploitation enables limited unauthorized modifications to plugin resources (low integrity impact), potentially allowing alterations to blocks or settings that the attacker should not access.
The Patchstack advisory details the broken access control issue in version 4.8.3 and recommends updating the Essential Blocks for Gutenberg plugin to a patched version beyond 4.8.3 as the primary mitigation. Further details are available at https://patchstack.com/database/Wordpress/Plugin/essential-blocks/vulnerability/wordpress-essential-blocks-plugin-4-8-3-broken-access-control-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The missing authorization vulnerability in the public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) by low-privileged authenticated attackers to perform unauthorized modifications to plugin resources.