Skip to main content

Christiaan Pieterse MaxiBlocks CVE-2025-47601

| EUVDEUVD-2025-17369 HIGH
Missing Authorization (CWE-862)
2025-06-07 audit@patchstack.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 19:13 euvd
EUVD-2025-17369
Analysis Generated
Mar 14, 2026 - 19:13 vuln.today
CVE Published
Jun 07, 2025 - 05:15 nvd
HIGH 8.8

DescriptionCVE.org

Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through 2.1.0.

AnalysisAI

Missing authorization vulnerability in Christiaan Pieterse MaxiBlocks WordPress plugin (versions up to 2.1.0) that allows authenticated users with low privileges to escalate their access and perform unauthorized actions with high impact. An attacker with basic user credentials can bypass authorization checks to modify content, user accounts, or plugin settings, potentially leading to complete site compromise. The high CVSS score of 8.8 reflects the severe impact, though exploitation requires prior authentication access.

Technical ContextAI

MaxiBlocks is a WordPress page builder plugin that extends WordPress's block editor functionality. The vulnerability stems from improper implementation of CWE-862 (Missing Authorization), where the plugin fails to adequately validate user capabilities before executing sensitive operations. WordPress relies on role-based access control (RBAC) with granular capabilities; MaxiBlocks appears to bypass these checks in critical code paths. Affected versions from initial release through 2.1.0 contain the flawed authorization logic. The plugin likely exposes REST API endpoints or administrative functions without proper capability checks, allowing any authenticated user (subscriber-level or above) to perform actions restricted to editors or administrators.

RemediationAI

IMMEDIATE: Update MaxiBlocks to version 2.1.1 or later (patch must be available post-disclosure). If patch is unavailable, implement these mitigations: (1) Restrict MaxiBlocks access to administrator users only via Role Manager or capability plugins until patched; (2) Audit user roles and remove unnecessary accounts with edit capabilities; (3) Monitor audit logs for unauthorized content modifications; (4) Temporarily disable MaxiBlocks if unpatched and not actively in use; (5) Use WordPress security plugins to restrict REST API access. For affected sites, validate integrity of all pages, posts, and settings created/modified during the vulnerable period. Contact plugin developer for official patch timeline.

Share

CVE-2025-47601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy