This morning, we’ve released a patch for a medium severity vulnerability in GenerateBlocks. The patch is available in version 2.1.1, which can be applied through an update in your plugin dashboard or by downloading the latest version of GenerateBlocks from the WordPress repository.
At the time of this publication, there is no known exploitation of this vulnerability, and your site is likely not affected.
What was the vulnerability?
The vulnerability allowed those with a Contributor account or greater to access sensitive information in the WordPress database via the REST-API endpoint. This sensitive information included user information in the WordPress database.
The vulnerability is rated medium severity and cannot be exploited without Contributor or greater authentication. Details of the vulnerability will be withheld by the security researcher to give site owners time to update.
What does this mean for your website?
As of the publication of this alert, there are no known instances of this vulnerability being exploited by malicious actors. As such, there is no reason to worry about your site.
How to update your site
If you are using GenerateBlocks 2.1.0 or earlier on your website, we recommend an immediate update. Log into your website admin area and navigate to “Updates.” Look for GenerateBlocks and choose to update the plugin.
If you have any questions about this vulnerability, please feel free to reach out to support for assistance. The security of your website and data is of highest priority.
GeneratePress takes security seriously
Immediately upon learning of this vulnerability, the GeneratePress team pushed out a fix. We take the security of our customers’ sites seriously, and we make security fixes a priority. We are thankful to security researcher Abu Hurayra and Patchstack for their responsible disclosure of this security vulnerability.