Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data.
This issue affects GenerateBlocks: from n/a through 2.1.0.
AnalysisAI
Sensitive data exposure in the GenerateBlocks WordPress plugin (versions through 2.1.0) allows authenticated low-privilege users to retrieve embedded sensitive information via network requests. The vulnerability, classified under CWE-201, means the plugin inserts sensitive data into outbound responses where it can be intercepted or retrieved by parties with basic WordPress authentication. No public exploit code exists and CISA has not listed this in KEV, though the high confidentiality impact (CVSS C:H) indicates meaningful data leakage potential if exploited against unpatched installations.
Technical ContextAI
GenerateBlocks is a WordPress page builder plugin developed by Tom (plugin slug: generateblocks). CWE-201 - Insertion of Sensitive Information Into Sent Data - describes a root cause where an application embeds sensitive values (such as API keys, internal configuration data, user PII, or nonces) directly within data transmitted to clients, rather than leaking it through storage or logging. This differs from classic information disclosure via error messages; instead, the sensitive content is actively placed in responses - such as REST API payloads, block editor data, or rendered HTML - accessible to any party with the ability to issue the triggering request. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N confirms this is network-reachable with low access complexity and requires only a low-privilege authenticated session, resulting in high confidentiality impact with no integrity or availability consequences. The affected CPE covers GenerateBlocks from an unspecified baseline version through 2.1.0.
RemediationAI
No vendor-released patch version with an exact release tag is confirmed in the available intelligence data. Site administrators running GenerateBlocks 2.1.0 or earlier should monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/generateblocks/vulnerability/wordpress-generateblocks-plugin-2-1-0-sensitive-data-exposure-vulnerability for a patched release and upgrade immediately upon availability. As an interim compensating control, restrict WordPress user roles to the minimum necessary - specifically, prevent untrusted subscriber or contributor accounts from accessing block editor functionality or any REST API endpoints exposed by GenerateBlocks, which limits the pool of users who can trigger the sensitive data retrieval path. If the plugin is not actively required, deactivating it eliminates the attack surface entirely with no trade-off beyond loss of its page-building features.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32154
GHSA-wxm7-6pxh-23qx