EPSS
Percentile
40.5%
The plugin uses improper authorization for the REST API vk-blocks/v1/update_vk_blocks_options, allowing users with a role as low as contributor to change plugin settings including default icons.
plugins.trac.wordpress.org/browser/vk-blocks/trunk/inc/vk-blocks/App/RestAPI/BlockMeta/class-vk-blocks-entrypoint.php
www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/vk-blocks/vk-blocks-15305-authenticatedcontributor-settings-update