We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

GenerateBlocks Plugin Vulnerability (CVE-2026-3454)

Nick Paliughi
On this page

Security Alert Summary

The GenerateBlocks plugin for WordPress has an Insecure Direct Object Reference vulnerability in its dynamic tag replacements REST endpoint. Authenticated users with Contributor-level access or higher may be able to retrieve sensitive information from posts, such as author email addresses and certain non-protected post meta values, because the endpoint fails to perform object-level authorization checks.

CVE Details

  • CVE ID: CVE-2026-3454
  • Affected component: GenerateBlocks plugin (dynamic tag replacements REST endpoint)
  • Affected versions: All versions up to and including 2.2.0
  • Published: May 5, 2026 at 7:16 AM UTC
  • Last modified: May 5, 2026 at 7:16 AM UTC
  • CVSS v3.1 base score: 6.5 (MEDIUM)
  • CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Authentication / Privileges / User interaction: Requires an authenticated user with low privileges (Contributor-level access or higher). No user interaction required.
  • Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
  • Weakness: CWE-639 (Insecure Direct Object Reference)

Technical Details

The vulnerability exists in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint verifies that the requester has the edit_posts capability but fails to perform object-level authorization checks to confirm the requesting user is allowed to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content.

Because checks that validate access to the targeted post or post meta are missing in the dynamic tag callbacks and related meta handling code, an authenticated user with Contributor-level privileges or higher can craft dynamic tag payloads that reference arbitrary post IDs and read certain data from those posts. The description identifies the relevant plugin files and callback logic where these checks are missing (see references for the code paths).

The impact is limited to disclosure of readable data from posts and post meta that are not otherwise protected. The vulnerability does not indicate modification or deletion of content, nor does it indicate a direct availability impact.

How This Could Impact Your Website

Consider a small site with a site owner, one or more editors, and external contributors or contractors who post content. An attacker who has a Contributor account could use the vulnerable dynamic tag endpoint to retrieve author email addresses and non-protected post meta values from posts they should not be able to read. This could expose internal email addresses or metadata used for editorial workflows.

Practical consequences include increased risk of targeted phishing or social engineering against staff and contractors, and exposure of information that might be used to infer internal processes. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially Contributor accounts and other low-privilege accounts that can create or edit posts.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and logs for unusual behavior, such as unexpected REST API requests or repeated attempts to access content by non-privileged accounts.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WeePie Cookie Allow Plugin Vulnerability (CVE-2026-4304)
Next Post
Backup Migration Plugin Vulnerability (CVE-2023-54346)