CVE-2026-3454 Overview
CVE-2026-3454 is an Insecure Direct Object Reference (IDOR) vulnerability in the GenerateBlocks plugin for WordPress, affecting all versions up to and including 2.2.0. The flaw resides in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint, which checks only the edit_posts capability without verifying access to specific posts referenced by attacker-controlled id parameters. Authenticated users with Contributor-level access or higher can extract sensitive data from arbitrary posts, including author email addresses and non-protected post meta values. The vulnerability is classified under [CWE-639] (Authorization Bypass Through User-Controlled Key).
Critical Impact
Authenticated attackers with Contributor-level access can extract author email addresses and arbitrary post meta values from any post on the WordPress site.
Affected Products
- GenerateBlocks plugin for WordPress, versions through 2.2.0
- WordPress sites permitting Contributor-level registration or higher
- Any site running GenerateBlocks with the dynamic tags feature enabled
Discovery Timeline
- 2026-05-05 - CVE-2026-3454 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-3454
Vulnerability Analysis
The vulnerability exists in the GenerateBlocks dynamic tag processing logic. The REST endpoint /wp-json/generateblocks/v1/dynamic-tag-replacements accepts dynamic tag payloads and resolves them server-side. While the endpoint enforces a edit_posts capability check, it omits object-level authorization. An authenticated user can submit dynamic tag payloads referencing post IDs they should not access. The server resolves the tag and returns post data without validating ownership or post-specific permissions.
Root Cause
The plugin pattern relies solely on a coarse capability check rather than validating per-resource access. Code paths in class-dynamic-tags.php and class-dynamic-tag-callbacks.php accept user-supplied id parameters and dispatch to handlers that read post fields and meta values. The handlers trust the requested ID without confirming the requester has permission to read that specific post. This pattern matches [CWE-639] Authorization Bypass Through User-Controlled Key.
Attack Vector
An attacker authenticates to the WordPress site as a Contributor or higher. The attacker sends a crafted POST request to the dynamic tag replacements REST endpoint containing tag payloads such as {{post_meta id:<target>|key:<meta_key>}} to read arbitrary post meta, or {{post_title id:<target>|link:author_email}} to retrieve the author email of a target post. The server returns the resolved tag content, leaking data the attacker is not authorized to view.
The vulnerability requires authentication but no user interaction. Refer to the Wordfence Vulnerability Analysis and the WordPress GenerateBlocks Dynamic Tags source for the affected code paths.
Detection Methods for CVE-2026-3454
Indicators of Compromise
- POST requests to /wp-json/generateblocks/v1/dynamic-tag-replacements originating from low-privilege accounts.
- Request bodies containing dynamic tag patterns such as {{post_meta id: or {{post_title id: with link:author_email modifiers.
- Bursts of dynamic tag replacement calls iterating sequential post IDs from a single authenticated session.
Detection Strategies
- Inspect WordPress access logs for repeated calls to the GenerateBlocks dynamic tag REST route with varying id parameters.
- Correlate Contributor or Author session activity with REST endpoint usage atypical for content authoring.
- Alert on dynamic tag payloads referencing post IDs the requesting user does not own or has not been granted access to.
Monitoring Recommendations
- Enable verbose REST API logging in WordPress and forward logs to centralized analytics.
- Monitor for enumeration patterns where one account requests dynamic tag content for many distinct post IDs in a short window.
- Track outbound responses from the endpoint that contain email addresses or private meta keys.
How to Mitigate CVE-2026-3454
Immediate Actions Required
- Update the GenerateBlocks plugin to a version newer than 2.2.0 that includes the fix referenced in the GenerateBlocks Changeset.
- Audit user accounts with Contributor-level access or higher and remove unused or untrusted accounts.
- Review post meta storage for sensitive values that should not be readable by content contributors.
Patch Information
The vendor addressed the issue in the GenerateBlocks repository changeset that supersedes version 2.2.0. The fix introduces object-level authorization checks for the dynamic tag REST endpoint. Review the WordPress GenerateBlocks Meta Handler source to confirm the affected code paths in version 2.2.0 before patching.
Workarounds
- Restrict new user registration and disable the Contributor role if not actively used.
- Deploy a Web Application Firewall (WAF) rule blocking unauthenticated or low-privilege requests to /wp-json/generateblocks/v1/dynamic-tag-replacements containing author_email or arbitrary post_meta references.
- Temporarily disable the GenerateBlocks plugin if patching is not feasible and the dynamic tags feature is not required.
# Example WAF rule (ModSecurity) to block IDOR exploitation attempts
SecRule REQUEST_URI "@contains /wp-json/generateblocks/v1/dynamic-tag-replacements" \
"id:1026003454,phase:2,deny,status:403,\
msg:'Block GenerateBlocks IDOR CVE-2026-3454',\
chain"
SecRule REQUEST_BODY "@rx (post_meta\s+id:|link:author_email)" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
