CVE-2025-12512 is an information exposure vulnerability in the GenerateBlocks plugin for WordPress, affecting all versions up to and including 2.1.2. The root cause is the absence of object-level authorization checks on several REST API routes registered under generateblocks/v1/meta/. These endpoints rely solely on the capability check current_user_can('edit_posts'), which is granted to low-privileged roles such as Contributors. The API handlers accept arbitrary entity IDs (including user IDs and post IDs) and meta keys, returning the corresponding metadata without verifying that the requesting user is authorized to access that specific data. Although a minimal blacklist prevents access to password-like keys, there is no allowlist to restrict which meta keys can be retrieved. Consequently, an authenticated user with Contributor or higher privileges can query sensitive user meta data belonging to administrators or other users. In typical WordPress installations integrated with WooCommerce, this metadata includes personally identifiable information such as full names, email addresses, phone numbers, and physical addresses stored in user meta fields. This exposure can be exploited for targeted phishing campaigns, social engineering, or account takeover attacks by providing attackers with detailed personal information. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 base score is 4.3 (medium), reflecting the low complexity and limited impact on integrity and availability but notable confidentiality impact. No public exploits are known at this time, and no official patches have been released yet. The vulnerability was assigned by Wordfence and publicly disclosed in December 2025.

This vulnerability allows attackers with low-level authenticated access (Contributor or higher) to exfiltrate sensitive user metadata, including PII such as names, emails, phone numbers, and addresses. For organizations, this leads to significant privacy breaches, undermining user trust and potentially violating data protection regulations like GDPR or CCPA. Attackers can leverage this information for targeted phishing, social engineering, or account takeover attacks, increasing the risk of further compromise. E-commerce sites using WooCommerce are particularly at risk due to the rich user meta data stored. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can have severe reputational and legal consequences. The ease of exploitation and the widespread use of WordPress and GenerateBlocks amplify the potential impact globally.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to the vulnerable REST API endpoints by limiting permissions beyond current_user_can('edit_posts'), ideally to administrator roles only. 2) Employ web application firewalls (WAFs) to detect and block suspicious REST API requests targeting generateblocks/v1/meta/ routes with arbitrary user IDs or meta keys. 3) Audit user roles and reduce the number of users with Contributor or higher privileges to the minimum necessary. 4) Monitor logs for unusual API access patterns indicative of data scraping attempts. 5) If feasible, disable or uninstall the GenerateBlocks plugin temporarily in high-risk environments until a patch is available. 6) Follow vendor communications closely and apply security updates promptly once released. 7) Consider implementing custom code or plugins that enforce strict object-level authorization on REST API endpoints to ensure users can only access their own metadata.