{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12134", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-23T20:51:09.503Z", "datePublished": "2025-10-24T09:23:31.083Z", "dateUpdated": "2026-04-08T17:27:21.785Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:21.785Z"}, "affected": [{"vendor": "bdthemes", "product": "ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_popup_status() function in all versions up to, and including, 2.3.11. This makes it possible for unauthenticated attackers to enable/disable popups."}], "title": "ZoloBlocks <= 2.3.11 - Missing Authorization to Unauthenticated Popup Enable/Disable", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da9f89a2-f816-4445-8aea-11b622451ee9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3377160"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jamie Davies"}], "timeline": [{"time": "2025-10-23T21:06:17.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-23T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-24T12:19:00.747923Z", "id": "CVE-2025-12134", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-24T12:30:05.035Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12134", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-24T12:19:00.747923Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-24T12:19:02.516Z"}}], "cna": {"title": "ZoloBlocks <= 2.3.11 - Missing Authorization to Unauthenticated Popup Enable/Disable", "credits": [{"lang": "en", "type": "finder", "value": "Jamie Davies"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "bdthemes", "product": "ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.11"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-23T21:06:17.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-23T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da9f89a2-f816-4445-8aea-11b622451ee9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3377160"}], "descriptions": [{"lang": "en", "value": "The ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_popup_status() function in all versions up to, and including, 2.3.11. This makes it possible for unauthenticated attackers to enable/disable popups."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:21.785Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12134", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:27:21.785Z", "dateReserved": "2025-10-23T20:51:09.503Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-24T09:23:31.083Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_popup_status() function in all versions up to, and including, 2.3.11. This makes it possible for unauthenticated attackers to enable/disable popups."}], "id": "CVE-2025-12134", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-24T10:15:38.010", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3377160"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da9f89a2-f816-4445-8aea-11b622451ee9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:41:50.637948+00:00", "value": {"mitigation_remediation": ["Update the ZoloBlocks plugin to the latest available version, which addresses the missing authorization check for pop\u2011up status updates.", "If an update is not possible, restrict unauthenticated access to the update_popup_status() endpoint by adding a capability check or using a role\u2011based access control plugin.", "Disable or limit pop\u2011up functionality for users without the appropriate capabilities, ensuring that only authorized administrators can enable or disable pop\u2011ups."], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of pop\u2011up settings through a missing authorization check"}, "threat_synthesis": {"affected_systems": "All installations of the bdthemes ZoloBlocks Gutenberg Block Editor Plugin for WordPress with a version numbering of 2.3.11 or earlier are affected. The plugin is typically used to add advanced blocks, dynamic content, templates, and patterns to WordPress sites. The flaw is present in all versions up to and including 2.3.11.", "description_and_impact": "The vulnerability resides in the update_popup_status() function of the ZoloBlocks WordPress plugin, where a capability check is omitted. As a result, any user who can submit requests to the plugin can toggle pop\u2011up settings without authentication. This flaw\u2014classified as a missing authorization (CWE\u2011862)\u2014permits attackers to enable or disable pop\u2011ups on the site, potentially disrupting user experience and undermining trust in site functionality. While it does not expose private data or allow code execution, the ability to alter site configuration constitutes a significant impact on the integrity of the application.", "risk_and_exploitability": "Based on the description, it is inferred that the attack vector is likely unauthenticated over the network, as the missing capability check allows anyone to craft a request to the update_popup_status() endpoint. The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further implying limited or no documented exploitation. Because no authentication is required, attackers can exploit the flaw without credentials, but the plugin\u2019s web interface must be publicly accessible for the exploit to succeed."}}}}, "created": "2025-10-27T22:13:22.489806+00:00", "updated": "2026-04-22T00:45:04.162400+00:00", "vendors": ["bdthemes", "bdthemes$PRODUCT$zoloblocks", "wordpress", "wordpress$PRODUCT$wordpress"]}