CVE-2025-11369
Unauthorized Access in Gutenberg Essential Blocks Exposes API Keys
Publication date: 2025-12-17
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
| essential_blocks | essential_blocks | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11369 is a vulnerability in the Gutenberg Essential Blocks WordPress plugin (up to version 5.7.2) that allows authenticated users with Author-level access or higher to access sensitive API keys for external services like Instagram and Google Maps. This happens because certain AJAX callback functions (get_instagram_access_token_callback, google_map_api_key_save_callback, get_siteinfo) lack proper or correct capability checks, enabling unauthorized access to stored API tokens and keys. Although nonce verification and some capability checks exist, they are insufficient or improperly implemented, which can lead to exposure of these credentials. [1, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive API keys and tokens configured in the plugin, such as Instagram access tokens and Google Map API keys, to unauthorized users who have at least Author-level access on your WordPress site. Exposure of these credentials can lead to unauthorized use of external services, potential data leakage, and compromise of integrations relying on these keys. Attackers could misuse these keys to perform actions on your behalf or access data from connected services, undermining the security and privacy of your site. [1, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your WordPress site is running the Essential Blocks plugin version 5.7.2 or earlier. To confirm if the vulnerable AJAX endpoints are accessible, you can use curl commands to test the AJAX actions related to Google Map API key, Instagram access token, and site info retrieval. For example, to test the Google Map API key retrieval endpoint, you can run: curl -X POST -d 'action=google_map_api_key&admin_nonce=YOUR_NONCE' https://your-site.com/wp-admin/admin-ajax.php. Similarly, test the Instagram access token retrieval with: curl -X POST -d 'action=get_instagram_access_token&admin_nonce=YOUR_NONCE' https://your-site.com/wp-admin/admin-ajax.php. Replace YOUR_NONCE with a valid nonce if possible. Additionally, review your WordPress user roles to see if any users with Author-level or higher access could exploit these endpoints. Monitoring logs for unauthorized access attempts to these AJAX endpoints can also help detect exploitation attempts. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Update the Essential Blocks plugin to a version later than 5.7.2 where this vulnerability is fixed. 2) Restrict user roles and capabilities to ensure only trusted users have Author-level or higher access, as the vulnerability requires authenticated users with such privileges. 3) Temporarily disable or restrict access to the vulnerable AJAX endpoints (google_map_api_key, get_instagram_access_token, get_siteinfo) by adding custom code or security rules to block unauthorized requests. 4) Monitor and audit API keys and tokens stored in the plugin settings, and rotate them if you suspect they have been exposed. 5) Ensure that WordPress nonces and capability checks are properly enforced and consider adding additional security plugins or firewall rules to protect AJAX endpoints. [1, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Author-level access and above to view API keys configured for external services, such as Instagram and Google Maps. Exposure of these API keys could lead to unauthorized access to external services and potentially sensitive data. This unauthorized access and data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access. Therefore, the vulnerability poses a risk to compliance by potentially enabling unauthorized data access through compromised API keys. [4, 1]