GenerateBlocks WordPress Plugin Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the GenerateBlocks plugin for WordPress, affecting all versions up to and including 2.2.0. The issue arises from the absence of proper object-level authorization checks in the '/wp-json/generateblocks/v1/dynamic-tag-replacements' REST endpoint. While the endpoint verifies that the user has the 'edit_posts' capability, it fails to ensure that the user has permission to access the specific post or its related data referenced by attacker-controlled ID parameters in dynamic tag content. This vulnerability enables authenticated attackers with Contributor-level access or higher to extract sensitive information from arbitrary posts, such as author email addresses and unprotected post meta values. Exploitation can be achieved by crafting dynamic tag payloads that request this information.

Impact

Exploitation of this vulnerability allows for the unauthorized access and extraction of sensitive information from WordPress posts, including author email addresses and non-protected post meta values.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a POST request to the '/wp-json/generateblocks/v1/dynamic-tag-replacements' endpoint. The request must include dynamic tag payloads that reference specific post IDs and meta keys. The absence of proper authorization checks will allow the extraction of sensitive information from the targeted posts.