Analysis Summary

CVE-2025-2568 CVSS:5.3

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' function in versions 1.0.4 to 1.2.1. This makes it possible for unauthenticated attackers to read plugin options and update any option with a key name ending in '_value'.

CVE-2024-31211 CVSS:5.5

WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.

CVE-2024-31210 CVSS:7.6

WordPress, an open publishing platform for the Web, was found to contain a vulnerability (CVE-2024-31210) that allows administrative users to bypass file upload restrictions in the plugin installation process. The vulnerability was discovered and disclosed in January 2024, affecting WordPress versions from 4.1 through 6.4.2. This security issue specifically impacts Administrator level users on single site installations and Super Admin level users on Multisite installations.

Impact

• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-2568

• CVE-2024-31211

• CVE-2024-31210

Affected Vendors

Remediation

Update the WordPress plugin to the latest available version.

CVE-2025-2568

CVE-2024-31211

CVE-2024-31210