The vulnerability identified as CVE-2025-12134 affects the ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns developed by bdthemes for WordPress. The issue stems from a missing authorization (CWE-862) in the update_popup_status() function, which fails to verify whether the user has the necessary permissions before allowing changes to popup status settings. This flaw enables unauthenticated attackers to remotely enable or disable popups on affected WordPress sites without any authentication or user interaction. The vulnerability impacts all versions up to and including 2.3.11. The CVSS 3.1 base score is 5.3, indicating a medium severity, with the vector highlighting network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). While this vulnerability does not allow data disclosure or denial of service, unauthorized modification of popup settings can be leveraged for social engineering, phishing, or other malicious activities by manipulating site content. No patches or exploit code are currently publicly available, and no known exploits have been reported in the wild as of the publication date. The vulnerability was assigned and published by Wordfence on October 24, 2025.

The primary impact of CVE-2025-12134 is unauthorized modification of popup settings on WordPress sites using the vulnerable ZoloBlocks plugin. Although it does not directly compromise confidentiality or availability, the integrity of site content can be affected, potentially enabling attackers to display malicious or misleading popups. This can facilitate phishing attacks, malware distribution, or user deception, undermining user trust and damaging organizational reputation. For e-commerce, financial, or high-traffic websites, such unauthorized changes could lead to customer loss, regulatory scrutiny, or brand damage. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, especially for sites that have not updated the plugin. However, the absence of known exploits in the wild suggests limited immediate threat, though this could change rapidly once exploit code becomes available. Organizations relying on this plugin should consider the risk of indirect impacts through social engineering and user manipulation.

To mitigate CVE-2025-12134, organizations should immediately update the ZoloBlocks plugin to a patched version once available from bdthemes. In the absence of an official patch, administrators should restrict access to WordPress administrative interfaces and plugin management functions using IP whitelisting or VPN access to reduce exposure. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized requests targeting the update_popup_status() function can provide temporary protection. Regularly audit plugin configurations and monitor logs for unusual popup status changes. Additionally, educating site administrators about this vulnerability and encouraging prompt plugin updates is critical. For high-risk environments, consider disabling the plugin until a secure version is released. Employing multi-factor authentication (MFA) for WordPress admin accounts, although not directly preventing this unauthenticated exploit, can help reduce overall attack surface. Finally, maintain regular backups to quickly restore site integrity if unauthorized changes occur.