CVE-2025-47601

| EUVD-2025-17369 HIGH
2025-06-07 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:13 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:13 euvd
EUVD-2025-17369
CVE Published
Jun 07, 2025 - 05:15 nvd
HIGH 8.8

Tags

Privilege Escalation

Description

Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through 2.1.0.

Analysis

Missing authorization vulnerability in Christiaan Pieterse MaxiBlocks WordPress plugin (versions up to 2.1.0) that allows authenticated users with low privileges to escalate their access and perform unauthorized actions with high impact. An attacker with basic user credentials can bypass authorization checks to modify content, user accounts, or plugin settings, potentially leading to complete site compromise. The high CVSS score of 8.8 reflects the severe impact, though exploitation requires prior authentication access.

Technical Context

MaxiBlocks is a WordPress page builder plugin that extends WordPress's block editor functionality. The vulnerability stems from improper implementation of CWE-862 (Missing Authorization), where the plugin fails to adequately validate user capabilities before executing sensitive operations. WordPress relies on role-based access control (RBAC) with granular capabilities; MaxiBlocks appears to bypass these checks in critical code paths. Affected versions from initial release through 2.1.0 contain the flawed authorization logic. The plugin likely exposes REST API endpoints or administrative functions without proper capability checks, allowing any authenticated user (subscriber-level or above) to perform actions restricted to editors or administrators.

Affected Products

MaxiBlocks by Christiaan Pieterse - affected versions: all releases from initial version through 2.1.0 inclusive. Impacted WordPress installations running any MaxiBlocks version ≤2.1.0 with user accounts present. Product deployed as WordPress.org plugin. Specific CPE would be: cpe:2.3:a:christiaan_pieterse:maxiblocks:*:*:*:*:*:wordpress:*:* (versions 0.0.0 through 2.1.0). Any WordPress multisite or single-site installation with the MaxiBlocks plugin active and any non-admin user accounts is vulnerable.

Remediation

IMMEDIATE: Update MaxiBlocks to version 2.1.1 or later (patch must be available post-disclosure). If patch is unavailable, implement these mitigations: (1) Restrict MaxiBlocks access to administrator users only via Role Manager or capability plugins until patched; (2) Audit user roles and remove unnecessary accounts with edit capabilities; (3) Monitor audit logs for unauthorized content modifications; (4) Temporarily disable MaxiBlocks if unpatched and not actively in use; (5) Use WordPress security plugins to restrict REST API access. For affected sites, validate integrity of all pages, posts, and settings created/modified during the vulnerable period. Contact plugin developer for official patch timeline.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2025-47601 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy