{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11369", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-06T13:48:08.856Z", "datePublished": "2025-12-17T01:48:52.052Z", "dateUpdated": "2026-04-08T17:03:06.839Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:06.839Z"}, "affected": [{"vendor": "wpdevteam", "product": "Gutenberg Essential Blocks \u2013 Page Builder for Gutenberg Blocks & Patterns", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.7.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Gutenberg Essential Blocks \u2013 Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services."}], "title": "Essential Blocks <= 5.7.2 - Missing Authorization To Authenticated (Author+) Information Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e5b1e90-53f7-4afc-9544-c36afe1ee813?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/OpenVerse.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/Instagram.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/GoogleMap.php#L50"}, {"url": "https://research.cleantalk.org/cve-2025-11369/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-10-01T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-06T14:04:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-16T11:33:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T14:39:28.513303Z", "id": "CVE-2025-11369", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T18:49:33.158Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11369", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-17T14:39:28.513303Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T14:49:34.384Z"}}], "cna": {"title": "Essential Blocks <= 5.7.2 - Missing Authorization To Authenticated (Author+) Information Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "wpdevteam", "product": "Gutenberg Essential Blocks \u2013 Page Builder for Gutenberg Blocks & Patterns", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.7.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-01T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-06T14:04:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-16T11:33:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e5b1e90-53f7-4afc-9544-c36afe1ee813?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/OpenVerse.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/Instagram.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/GoogleMap.php#L50"}, {"url": "https://research.cleantalk.org/cve-2025-11369/"}], "descriptions": [{"lang": "en", "value": "The Gutenberg Essential Blocks \u2013 Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:06.839Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11369", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:06.839Z", "dateReserved": "2025-10-06T13:48:08.856Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-17T01:48:52.052Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gutenberg Essential Blocks \u2013 Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services."}], "id": "CVE-2025-11369", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-17T02:16:00.780", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/GoogleMap.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/Instagram.php#L20"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/OpenVerse.php#L108"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-11369/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7e5b1e90-53f7-4afc-9544-c36afe1ee813?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:52:48.060857+00:00", "value": {"mitigation_remediation": ["Update the Gutenberg Essential Blocks plugin to version 5.7.3 or newer, which corrects the missing capability checks.", "If an update is not immediately possible, remove or disable the Google Map, Instagram, and Open Verse integrations so that the affected callbacks are no longer accessible, and delete any exposed API keys from the database.", "Restrict or remove Author\u2011level privileges from users who do not require access to the plugin\u2019s settings, ensuring that only administrators have visibility into sensitive configuration data."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Gutenberg Essential Blocks \u2013 Page Builder for Gutenberg Blocks & Patterns plugin, specifically any installation running version 5.7.2 or earlier. Versions after 5.7.2 are not impacted by this issue as the patch removes the faulty capability checks.", "description_and_impact": "The Gutenberg Essential Blocks plugin for WordPress contains missing or incorrect capability checks in three callback functions\u2014get_instagram_access_token_callback, google_map_api_key_save_callback, and get_siteinfo\u2014that allow any authenticated user with Author-level privileges or higher to read API keys that have been configured for external services. This vulnerability enables the disclosure of sensitive credentials, while it does not permit code execution or modification of site content. The weakness is documented as CWE\u2011862, a missing or incorrect authorization flaw.", "risk_and_exploitability": "The CVSS score of 4.3 indicates low severity according to CVSS mapping; the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires that an attacker already holds Author or higher privileges within the WordPress site, so the attack vector is formulated as an in-the-site privilege misuse. While the exposure is limited to API key disclosure, the impact on confidentiality can be significant if the credentials control critical external services."}}}}, "created": "2025-12-17T14:28:42.098382+00:00", "updated": "2026-04-22T14:00:18.229234+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevteam", "wpdevteam$PRODUCT$gutenberg_essential_blocks"]}