Skip to main content

GenerateBlocks CVE-2026-48877

| EUVDEUVD-2026-32154 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-05-27 audit@patchstack.com GHSA-wxm7-6pxh-23qx
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 22:22 vuln.today

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data.

This issue affects GenerateBlocks: from n/a through 2.1.0.

AnalysisAI

Sensitive data exposure in the GenerateBlocks WordPress plugin (versions through 2.1.0) allows authenticated low-privilege users to retrieve embedded sensitive information via network requests. The vulnerability, classified under CWE-201, means the plugin inserts sensitive data into outbound responses where it can be intercepted or retrieved by parties with basic WordPress authentication. No public exploit code exists and CISA has not listed this in KEV, though the high confidentiality impact (CVSS C:H) indicates meaningful data leakage potential if exploited against unpatched installations.

Technical ContextAI

GenerateBlocks is a WordPress page builder plugin developed by Tom (plugin slug: generateblocks). CWE-201 - Insertion of Sensitive Information Into Sent Data - describes a root cause where an application embeds sensitive values (such as API keys, internal configuration data, user PII, or nonces) directly within data transmitted to clients, rather than leaking it through storage or logging. This differs from classic information disclosure via error messages; instead, the sensitive content is actively placed in responses - such as REST API payloads, block editor data, or rendered HTML - accessible to any party with the ability to issue the triggering request. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N confirms this is network-reachable with low access complexity and requires only a low-privilege authenticated session, resulting in high confidentiality impact with no integrity or availability consequences. The affected CPE covers GenerateBlocks from an unspecified baseline version through 2.1.0.

RemediationAI

No vendor-released patch version with an exact release tag is confirmed in the available intelligence data. Site administrators running GenerateBlocks 2.1.0 or earlier should monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/generateblocks/vulnerability/wordpress-generateblocks-plugin-2-1-0-sensitive-data-exposure-vulnerability for a patched release and upgrade immediately upon availability. As an interim compensating control, restrict WordPress user roles to the minimum necessary - specifically, prevent untrusted subscriber or contributor accounts from accessing block editor functionality or any REST API endpoints exposed by GenerateBlocks, which limits the pool of users who can trigger the sensitive data retrieval path. If the plugin is not actively required, deactivating it eliminates the attack surface entirely with no trade-off beyond loss of its page-building features.

Share

CVE-2026-48877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy