CVE-2025-12449 aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification

🗓️ 07 Jan 2026 07:17:34Reported by WordfenceType

Authenticated subscribers can read settings and API keys due to missing capability checks in aBlocks up to 2.4.0.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2025-12449	7 Jan 202608:22	–	circl
CNNVD	WordPress plugin aBlocks 安全漏洞	7 Jan 202600:00	–	cnnvd
CVE	CVE-2025-12449	7 Jan 202607:17	–	cve
EUVD	EUVD-2026-1338	7 Jan 202607:17	–	euvd
NVD	CVE-2025-12449	7 Jan 202612:16	–	nvd
Patchstack	WordPress aBlocks - WordPress Gutenberg Blocks plugin <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification vulnerability	6 Jan 202622:17	–	patchstack
Positive Technologies	PT-2026-1578	7 Jan 202600:00	–	ptsecurity
RedhatCVE	CVE-2025-12449	9 Jan 202609:18	–	redhatcve
Vulnrichment	CVE-2025-12449 aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification	7 Jan 202607:17	–	vulnrichment
Wordfence Blog	Wordfence Intelligence Weekly WordPress Vulnerability Report (January 5, 2026 to January 11, 2026)	15 Jan 202616:14	–	wordfence

[
  {
    "vendor": "kodezen",
    "product": "aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "2.4.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/assets.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/c10600ae-1ff0-4f12-ae53-39d9342640f4
plugins	www.plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/ajax/settings.php
plugins	www.plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/classes/abstract-request-handler.php

08 Apr 2026 17:19Current

CVSS 3.15.4

EPSS0.00227

CWE-862