GenerateBlocks WordPress Plugin Information Exposure Vulnerability
Vulnerability
A vulnerability allowing information exposure exists in the GenerateBlocks plugin for WordPress, in versions through 2.1.2. The issue arises from inadequate object-level authorization checks in the REST API routes under 'generateblocks/v1/meta/'. Access to these routes is controlled by the 'edit_posts' capability, which low-privileged roles like Contributor possess. The affected endpoints allow arbitrary entity IDs and meta keys to be queried, returning sensitive metadata with only a limited blacklist of keys resembling passwords. This lack of proper authorization enables authenticated attackers with Contributor-level access or higher to extract personally identifiable information and other sensitive data from user meta, particularly targeting administrator accounts or other users in WordPress and WooCommerce environments.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive user information, including personally identifiable information and other private profile data, stored in WordPress user meta.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send requests to the exposed REST API endpoints 'generateblocks/v1/meta/get-user-meta' or 'generateblocks/v1/meta/get-post-meta'. These requests can include arbitrary user or post IDs and meta keys, allowing the extraction of sensitive metadata without proper authorization checks. In WordPress with WooCommerce, this could involve accessing PII such as names, emails, phone numbers, and addresses from user meta.
Remediation
Users are advised to update the GenerateBlocks plugin to version 2.2.0 or later, where this vulnerability has been patched.