Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through 2.1.0.
AnalysisAI
Missing authorization vulnerability in Christiaan Pieterse MaxiBlocks WordPress plugin (versions up to 2.1.0) that allows authenticated users with low privileges to escalate their access and perform unauthorized actions with high impact. An attacker with basic user credentials can bypass authorization checks to modify content, user accounts, or plugin settings, potentially leading to complete site compromise. The high CVSS score of 8.8 reflects the severe impact, though exploitation requires prior authentication access.
Technical ContextAI
MaxiBlocks is a WordPress page builder plugin that extends WordPress's block editor functionality. The vulnerability stems from improper implementation of CWE-862 (Missing Authorization), where the plugin fails to adequately validate user capabilities before executing sensitive operations. WordPress relies on role-based access control (RBAC) with granular capabilities; MaxiBlocks appears to bypass these checks in critical code paths. Affected versions from initial release through 2.1.0 contain the flawed authorization logic. The plugin likely exposes REST API endpoints or administrative functions without proper capability checks, allowing any authenticated user (subscriber-level or above) to perform actions restricted to editors or administrators.
RemediationAI
IMMEDIATE: Update MaxiBlocks to version 2.1.1 or later (patch must be available post-disclosure). If patch is unavailable, implement these mitigations: (1) Restrict MaxiBlocks access to administrator users only via Role Manager or capability plugins until patched; (2) Audit user roles and remove unnecessary accounts with edit capabilities; (3) Monitor audit logs for unauthorized content modifications; (4) Temporarily disable MaxiBlocks if unpatched and not actively in use; (5) Use WordPress security plugins to restrict REST API access. For affected sites, validate integrity of all pages, posts, and settings created/modified during the vulnerable period. Contact plugin developer for official patch timeline.
Same weakness CWE-862 – Missing Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17369