{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32489", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:00.509Z", "datePublished": "2026-03-25T16:14:58.411Z", "dateUpdated": "2026-03-25T16:14:58.411Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "b-blocks", "product": "B Blocks", "vendor": "bPlugins", "versions": [{"changes": [{"at": "2.0.30", "status": "unaffected"}], "lessThanOrEqual": "< 2.0.30", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "w41bu1 | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.172Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in bPlugins B Blocks b-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects B Blocks: from n/a through < 2.0.30.</p>"}], "value": "Missing Authorization vulnerability in bPlugins B Blocks b-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects B Blocks: from n/a through < 2.0.30."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:58.411Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/b-blocks/vulnerability/wordpress-b-blocks-plugin-2-0-30-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress B Blocks plugin < 2.0.30 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in bPlugins B Blocks b-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects B Blocks: from n/a through < 2.0.30."}], "id": "CVE-2026-32489", "lastModified": "2026-03-25T17:16:59.860", "metrics": {}, "published": "2026-03-25T17:16:59.860", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/b-blocks/vulnerability/wordpress-b-blocks-plugin-2-0-30-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:48:31.823387+00:00", "value": {"mitigation_remediation": ["Upgrade the B Blocks plugin to version 2.0.30 or later", "If an upgrade is not possible, disable or delete the plugin until a patch is applied", "Verify that no legacy plugin files remain on the server after disabling or uninstalling"], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All releases of the bPlugins B Blocks plugin earlier than version 2.0.30 are affected. Any WordPress installation that has installed one of these older versions and has not upgraded is vulnerable. The issue does not affect WordPress core or other plugins.", "description_and_impact": "The vulnerability is a missing authorization check in the bPlugins B Blocks WordPress plugin. Because the plugin does not verify the requesting user\u2019s capabilities before performing its functions, an attacker can carry out actions that the plugin should restrict, such as creating, modifying, or deleting content on the site. This flaw is a classic privilege\u2011escalation problem classified under CWE\u2011862.", "risk_and_exploitability": "No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation is not yet documented. Nonetheless, the flaw can be abused remotely by sending crafted HTTP requests to the plugin\u2019s endpoints, and because it does not require authentication, any user who can reach the site could attempt the attack. The potential to gain elevated privileges to manipulate site content gives this vulnerability a high risk for affected sites. Based on the description, it is inferred that attackers may exploit this flaw by making crafted HTTP requests to the plugin\u2019s endpoints from a remote location."}}}}, "created": "2026-03-25T21:43:39.300882+00:00", "updated": "2026-03-25T21:43:39.300920+00:00", "vendors": []}