Unauthorized Data Access in Vayu Blocks for WordPress and WooCommerce
CVE-2025-2568

5.3MEDIUM

Key Information:

Vendor

WordPress
Status
Vayu Blocks – Gutenberg Blocks For WordPress & WooCommerce
Vendor
CVE Published:
8 April 2025

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

What is CVE-2025-2568?

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin is susceptible to unauthorized data access and potential modification due to inadequate capability checks in crucial functions. Specifically, the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' functions fail to authenticate user permissions. This flaw enables unauthenticated attackers to read sensitive plugin options and alter any option with a key name that ends in '_value', posing significant risks to data integrity and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce 1.0.4 <= 1.2.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

PoC_CVE-2025-2568
Created by shinigami-777

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/vayu-blocks/tr...
https://plugins.trac.wordpress.org/browser/vayu-blocks/tr...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kenneth Dunn
JSON
.