CVE-2026-24377
Published: 22 January 2026
Summary
CVE-2026-24377 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Information Discovery (T1082); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-24377 is an Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in the POSIMYTH Nexter Blocks the-plus-addons-for-block-editor WordPress plugin. It enables retrieval of embedded sensitive data and affects Nexter Blocks versions from n/a through 4.6.3.
Low-privileged remote attackers (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), requiring no user interaction (UI:N) and maintaining unchanged scope (S:U). Exploitation results in low-impact confidentiality loss (C:L), with no integrity (I:N) or availability (A:N) disruption, per the CVSS v3.1 base score of 4.3.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/the-plus-addons-for-block-editor/vulnerability/wordpress-nexter-blocks-plugin-4-6-3-sensitive-data-exposure-vulnerability?_s_id=cve) documents the issue in Nexter Blocks up to version 4.6.3 and advises updating the plugin to address the sensitive data exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3820
Vulnerability details
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through <= 4.6.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sensitive system information exposure directly enables System Information Discovery (T1082) and Unsecured Credentials access (T1552) by allowing low-privileged remote retrieval of embedded data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions so low-privileged users cannot retrieve embedded sensitive data outside their authorized control sphere.
Enforces information-flow policies that block sensitive plugin data from flowing to unauthorized remote requesters.
Limits privileges granted to plugin users and processes, reducing the chance that low-privileged accounts can reach embedded sensitive data.