CVE-2025-2568: Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce 1.0.4 - 1.2.1 - Missing Authorization to Unauthenticated Limited Arbitrary Options Update

5.3 CVSS

Description

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' function in versions 1.0.4 to 1.2.1. This makes it possible for unauthenticated attackers to read plugin options and update any option with a key name ending in '_value'.

Classification

CVE ID: CVE-2025-2568

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem Types

CWE-862 Missing Authorization

Affected Products

Vendor: themehunk

Product: Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 23.44% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2568
https://www.wordfence.com/threat-intel/vulnerabilities/id/27ca93a1-3dfc-4bbd-834a-1c04d9e22ebf?source=cve
https://plugins.trac.wordpress.org/browser/vayu-blocks/trunk/inc/function.php#L126
https://plugins.trac.wordpress.org/browser/vayu-blocks/trunk/inc/function.php#L133
https://plugins.trac.wordpress.org/browser/vayu-blocks/trunk/inc/function.php#L139
https://plugins.trac.wordpress.org/browser/vayu-blocks/trunk/inc/function.php#L182
https://plugins.trac.wordpress.org/changeset/3263702/

Timeline

2025-04-08 12:40:16 UTC
CVE

Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce 1.0.4 - 1.2.1 - Missing Authorization to Unauthenticated Limited Arbitrary Options Update