cleantalk
Vulnerabilities and Security Researches

GenerateBlocks, CVE-2026-3454

CVE, Research URL

CVE-2026-3454

Home page URL

Security reports for GenerateBlocks

Application

GenerateBlocks

Published on
May 05, 2026
Research Description
The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}.
Affected versions
max 2.2.1.
Status
vulnerable
Previous vulnerability researches
GenerateBlocks (CVE-2024-13546) , Mar 01, 2025
GenerateBlocks (CVE-2024-1452) , Jun 06, 2024
GenerateBlocks (CVE-2021-24751) , Jun 06, 2024
GenerateBlocks (CVE-2026-3454) , May 05, 2026
GenerateBlocks (CVE-2025-11879) , Nov 10, 2025
New vulnerability
Royal Elementor Addons and Templates (CVE-2026-4803) , May 06, 2026
Royal Elementor Addons and Templates (CVE-2026-5159) , May 06, 2026
NEX-Forms &#8211; Ultimate Form Builder &#8211; Contact forms and much more (CVE-2026-5063) , May 06, 2026
Loco Translate (CVE-2026-1921) , May 06, 2026
Conditional Fields for Contact Form 7 (CVE-2026-25863) , May 06, 2026