CVE-2026-3454: CWE-639 Authorization Bypass Through User-Controlled Key in edge22 GenerateBlocks
The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}.
AI Analysis
Technical Summary
CVE-2026-3454 describes an insecure direct object reference vulnerability in the GenerateBlocks WordPress plugin (up to version 2.2.0). The REST endpoint /wp-json/generateblocks/v1/dynamic-tag-replacements performs insufficient authorization checks by validating only the edit_posts capability but not verifying if the user has permission to access the specific post or its associated data identified by attacker-controlled id parameters. This allows authenticated users with Contributor-level permissions or higher to extract sensitive information from arbitrary posts by crafting dynamic tag payloads referencing post meta or author email fields.
Potential Impact
An attacker with Contributor-level or higher privileges can bypass object-level authorization controls to access sensitive information from arbitrary posts, including author email addresses and non-protected post meta data. This leads to confidentiality breaches but does not affect integrity or availability. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, and limited privileges required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, restrict Contributor-level user permissions if possible and monitor for suspicious use of the dynamic-tag-replacements REST endpoint. Avoid exposing sensitive post meta data via dynamic tags. Follow vendor updates closely for an official fix.
CVE-2026-3454: CWE-639 Authorization Bypass Through User-Controlled Key in edge22 GenerateBlocks
Description
The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3454 describes an insecure direct object reference vulnerability in the GenerateBlocks WordPress plugin (up to version 2.2.0). The REST endpoint /wp-json/generateblocks/v1/dynamic-tag-replacements performs insufficient authorization checks by validating only the edit_posts capability but not verifying if the user has permission to access the specific post or its associated data identified by attacker-controlled id parameters. This allows authenticated users with Contributor-level permissions or higher to extract sensitive information from arbitrary posts by crafting dynamic tag payloads referencing post meta or author email fields.
Potential Impact
An attacker with Contributor-level or higher privileges can bypass object-level authorization controls to access sensitive information from arbitrary posts, including author email addresses and non-protected post meta data. This leads to confidentiality breaches but does not affect integrity or availability. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, and limited privileges required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, restrict Contributor-level user permissions if possible and monitor for suspicious use of the dynamic-tag-replacements REST endpoint. Avoid exposing sensitive post meta data via dynamic tags. Follow vendor updates closely for an official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-02T18:19:27.487Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f996efcbff5d8610d19715
Added to database: 5/5/2026, 7:06:23 AM
Last enriched: 5/5/2026, 7:21:55 AM
Last updated: 5/6/2026, 3:54:35 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.