The GenerateBlocks plugin for WordPress contains an authorization flaw (CWE-863) that leads to sensitive information exposure. Authenticated users with contributor-level access or above can bypass intended access controls to view content that is not yet published, including drafts, private posts, and scheduled pages. This vulnerability affects all versions up to and including 1.8.2. The CVSS 3.1 base score is 4.3, reflecting a medium severity impact primarily on confidentiality. No official patch or remediation has been confirmed in the provided data.

An attacker with contributor or higher privileges can view unpublished content, which may include sensitive or confidential information not intended for their role. This exposure does not affect integrity or availability but compromises confidentiality of draft, private, or scheduled content within affected WordPress sites using the GenerateBlocks plugin.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level access carefully and consider disabling or limiting use of the Query Loop feature in GenerateBlocks to reduce exposure risk.