CVE-2025-11369 is a missing authorization vulnerability (CWE-862) found in the Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns WordPress plugin, versions up to and including 5.7.2. The vulnerability stems from inadequate capability checks on three key functions: get_instagram_access_token_callback, google_map_api_key_save_callback, and get_siteinfo. These functions handle sensitive operations related to retrieving API keys for Instagram and Google Maps services, as well as site information. Because the plugin fails to properly verify whether the requesting user has sufficient privileges, any authenticated user with Author-level permissions or higher can invoke these functions to access API keys configured within the plugin. This unauthorized access could allow attackers to misuse these keys to interact with external services, potentially leading to data exfiltration or service abuse. The vulnerability is exploitable remotely without user interaction, and the attack vector is network-based. However, exploitation requires the attacker to have at least Author-level credentials on the WordPress site, which limits the attack surface to insiders or compromised accounts. The CVSS 3.1 score of 4.3 reflects a low to medium impact primarily on confidentiality, with no impact on integrity or availability. No public exploits or active exploitation have been reported to date. The absence of patches at the time of disclosure necessitates immediate attention from site administrators to apply any forthcoming updates or implement compensating controls.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of API keys used for Instagram and Google Maps integrations on WordPress sites employing the affected plugin. Exposure of these keys can lead to unauthorized access or abuse of external services, potentially resulting in data leakage, reputational damage, or financial loss if attackers leverage the keys for malicious activities such as data scraping, fraudulent API usage, or service disruption. Organizations with multiple WordPress sites or those relying heavily on third-party integrations are particularly at risk. Since the vulnerability requires Author-level access, the threat is elevated in environments where user account management is lax or where insider threats exist. The impact is more pronounced for public-facing websites that integrate social media or mapping services, common in sectors like media, retail, tourism, and public administration across Europe. Although the vulnerability does not directly compromise site integrity or availability, the indirect consequences of API key misuse can be significant, especially if attackers pivot to further attacks using stolen credentials.

European organizations should immediately audit user roles and permissions on WordPress sites using the Gutenberg Essential Blocks plugin to ensure that only trusted users have Author-level or higher access. Implement strict access controls and monitor for unusual account activity. Until an official patch is released, consider disabling or removing the plugin if feasible, or restrict access to the affected functions through custom code or security plugins that enforce capability checks. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the vulnerable functions. Rotate any exposed API keys for Instagram and Google Maps to invalidate potentially compromised credentials. Regularly update WordPress core, plugins, and themes to incorporate security fixes promptly. Additionally, conduct security awareness training for site administrators and content authors to reduce the risk of credential compromise. Monitor security advisories from the plugin vendor and WordPress security teams for patch releases and further guidance.