Severity
High
Analysis Summary
CVE-2025-2568 CVSS:5.3
The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' function in versions 1.0.4 to 1.2.1. This makes it possible for unauthenticated attackers to read plugin options and update any option with a key name ending in '_value'.
CVE-2024-31211 CVSS:5.5
WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.
CVE-2024-31210 CVSS:7.6
WordPress, an open publishing platform for the Web, was found to contain a vulnerability (CVE-2024-31210) that allows administrative users to bypass file upload restrictions in the plugin installation process. The vulnerability was discovered and disclosed in January 2024, affecting WordPress versions from 4.1 through 6.4.2. This security issue specifically impacts Administrator level users on single site installations and Super Admin level users on Multisite installations.
Impact
- Code Execution
- Gain Access
Indicators of Compromise
CVE
CVE-2025-2568
CVE-2024-31211
CVE-2024-31210
Affected Vendors
- WordPress
Affected Products
- WordPress 6.4.2
- WordPress versions from 4.1 through 6.4.2.
- Vayu Blocks – Gutenberg Blocks for WordPress and WooCommerce plugin
Remediation
Update the WordPress plugin to the latest available version.