Unauthorized Data Access in Vayu Blocks for WordPress and WooCommerce
CVE-2025-2568

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Vayu Blocks – Gutenberg Blocks For WordPress & WooCommerce
Vendor: CVE Published:; 8 April 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-2568?

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin is susceptible to unauthorized data access and potential modification due to inadequate capability checks in crucial functions. Specifically, the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' functions fail to authenticate user permissions. This flaw enables unauthenticated attackers to read sensitive plugin options and alter any option with a key name that ends in '_value', posing significant risks to data integrity and security.

Affected Version(s)

Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce 1.0.4 <= 1.2.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

PoC_CVE-2025-2568
Created by shinigami-777

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/vayu-blocks/tr...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Oct 5, 2025
👾
Exploit known to exist
Oct 5, 2025
Vulnerability published
Apr 8, 2025
Vulnerability Reserved
Mar 20, 2025

Credit

Kenneth Dunn

JSON