CVE-2026-3454
Description
The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/class-meta-handler.phpnvd
- plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.phpnvd
- plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.phpnvd
- plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.phpnvd
- plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.phpnvd
- plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/0297d524-e016-4f8d-920c-d58c62edb2a0nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026