Description
The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected products
References
- MISChttps://www.wordfence.com/threat-intel/vulnerabilities/id/7e5b1e90-53f7-4afc-9544-c36afe1ee813?source=cve
- MISChttps://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/OpenVerse.php#L108
- MISChttps://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/Instagram.php#L20
- MISChttps://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/GoogleMap.php#L50
- MISChttps://research.cleantalk.org/cve-2025-11369/