Kadence Blocks <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization

An attacker with Contributor-level access (or higher) to a WordPress site that has the Kadence Blocks plugin installed and a valid Kadence license connected can extract the site's license credentials. The attacker simply opens the block editor and inspects the JavaScript global `window.kadence_blocks_params.proData` in the browser console. No server-side request manipulation or additional privileges are required — the credentials are exposed client-side to any authenticated user who can access the editor. [CWE-200]

The vulnerability resides in the `editor_assets_variables()` method of `class-kadence-blocks-editor-assets.php` (around line 291). The method calls `kadence_blocks_get_current_license_data()` and passes the returned `$pro_data` array — which contains the license key, email, api_key, api_email, and domain — directly into the `wp_localize_script()` call under the `'proData'` key. This makes the full credential bundle accessible to any JavaScript context that loads the block editor, without any capability check beyond the editor being rendered.

The patch is not shown in the provided bundle, but the advisory states the issue affects all versions up to 3.7.5. The fix would need to either (a) remove the sensitive `$pro_data` fields from the localized script object, (b) restrict the inclusion of `proData` to only users with `manage_options` capability, or (c) mask the credential values before passing them to the client. Without a patch diff, the exact remediation cannot be confirmed.