The GenerateBlocks plugin for WordPress versions up to and including 2.1.2 contains a vulnerability classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). This vulnerability arises because the plugin registers multiple REST API routes under the path generateblocks/v1/meta/ that are protected only by the capability check current_user_can('edit_posts'). This capability is granted to low-privileged roles such as Contributors, which means that users with relatively limited permissions can access these endpoints. The API handlers accept arbitrary entity IDs (such as user IDs or post IDs) and meta keys, returning the corresponding metadata. The plugin implements only a minimal blacklist of password-like keys but lacks object-level authorization checks to ensure that the requesting user can only access their own data. There is also no allowlist of safe meta keys, allowing attackers to query any user meta data. In WordPress setups integrated with WooCommerce, this metadata often includes sensitive personally identifiable information (PII) such as names, email addresses, phone numbers, and physical addresses stored in user meta fields. An attacker with Contributor-level access can exploit this flaw to exfiltrate sensitive profile data of administrators or other users by directly querying user meta keys via the exposed REST API endpoints, specifically through the get_user_meta_rest function. This exposure can facilitate targeted phishing campaigns, social engineering, and account takeover attempts. The vulnerability has a CVSS 3.1 base score of 4.3 (medium severity), reflecting that it requires authentication with low privileges, has no user interaction requirement, and impacts confidentiality only, without affecting integrity or availability. No patches or exploits are currently publicly available, but the risk remains significant for sites with Contributor-level users and sensitive user data.

For European organizations, this vulnerability poses a privacy and security risk primarily through unauthorized disclosure of personally identifiable information (PII) stored in WordPress user meta fields, especially in WooCommerce environments common in e-commerce businesses. Exposure of names, emails, phone numbers, and addresses can enable targeted phishing attacks, social engineering, and pretexting, potentially leading to account takeovers and broader compromise. Organizations handling sensitive customer or employee data are at risk of violating GDPR and other privacy regulations if such data is leaked. The vulnerability does not directly impact system integrity or availability but undermines trust and can cause reputational damage. Since Contributor-level users can exploit this flaw, insider threats or compromised low-privilege accounts can escalate data exposure. European e-commerce platforms, SMEs, and public sector websites using WordPress with GenerateBlocks and WooCommerce are particularly vulnerable. The medium CVSS score reflects moderate impact but the potential for significant downstream consequences related to privacy breaches and regulatory non-compliance.

1. Immediately update the GenerateBlocks plugin to a version that addresses this vulnerability once released by the vendor. Monitor vendor announcements for patches. 2. Until a patch is available, restrict Contributor and other low-privilege user roles from accessing REST API endpoints by customizing permissions or using security plugins that can limit REST API access. 3. Implement web application firewall (WAF) rules to detect and block suspicious REST API requests targeting generateblocks/v1/meta/ endpoints with arbitrary user IDs or meta keys. 4. Audit user roles and permissions to minimize the number of users with Contributor or higher privileges, especially on public-facing sites. 5. Review and sanitize user meta data stored by WooCommerce or other plugins to minimize sensitive information exposure. 6. Enable logging and monitoring of REST API access to detect unusual patterns indicative of data scraping or reconnaissance. 7. Educate administrators and users about phishing risks stemming from leaked PII and enforce strong authentication mechanisms such as MFA to mitigate account takeover risks. 8. Consider disabling or limiting the REST API entirely if not required for site functionality, using plugins or custom code. 9. Conduct regular security assessments and penetration testing focusing on REST API endpoints and user metadata exposure.