CVE-2025-11369 is a security vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns, versions up to and including 5.7.2. The flaw stems from inadequate or missing capability checks in three specific callback functions: get_instagram_access_token_callback, google_map_api_key_save_callback, and get_siteinfo. These functions handle sensitive operations such as retrieving Instagram access tokens and Google Maps API keys, which are critical for integrating external services into WordPress sites. Due to the missing authorization, any authenticated user with Author-level access or higher can exploit this vulnerability to view these API keys without proper permission. The vulnerability is remotely exploitable over the network without requiring user interaction, and it does not affect the integrity or availability of the system. The CVSS v3.1 base score is 4.3, reflecting a medium severity level primarily due to the confidentiality impact. No patches or known exploits have been reported at the time of publication. This vulnerability highlights the importance of enforcing strict capability checks in WordPress plugins to prevent unauthorized data disclosure, especially for plugins that manage external service credentials.

The primary impact of CVE-2025-11369 is the unauthorized disclosure of sensitive API keys for external services such as Instagram and Google Maps. Attackers with Author-level access can extract these credentials, potentially leading to misuse of these external services, unauthorized data access, or further attacks leveraging these API keys. Although the vulnerability does not directly compromise the integrity or availability of the WordPress site, the exposure of API keys can undermine the confidentiality of integrated services and may result in reputational damage or financial loss if attackers abuse these keys. Organizations relying on this plugin for content management and external service integration face increased risk of data leakage and unauthorized service usage. The vulnerability's exploitation requires authenticated access, which limits the attack surface to users with at least Author privileges, but insider threats or compromised accounts elevate the risk. Given WordPress's widespread use globally, the impact can be significant for organizations that do not promptly address this issue.

To mitigate CVE-2025-11369, organizations should immediately update the Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin to a version where this vulnerability is fixed once available. Until a patch is released, administrators should restrict Author-level and higher privileges to trusted users only, minimizing the risk of exploitation. Implementing strict role-based access controls and regularly auditing user permissions can reduce exposure. Additionally, organizations should consider rotating or regenerating API keys for Instagram, Google Maps, and other affected services to invalidate any potentially compromised credentials. Monitoring logs for unusual access patterns to these API keys or related plugin functions can help detect exploitation attempts. For environments where immediate patching is not feasible, disabling or removing the vulnerable plugin temporarily can be a last-resort mitigation. Finally, plugin developers should review and enforce proper capability checks on all sensitive functions to prevent similar authorization issues.