Introduction
Attackers can gain full administrative control of a WordPress site running B Blocks simply by submitting a crafted registration request. This critical flaw impacts any site using B Blocks up to version 2.0.6, putting site integrity and user data at risk with no authentication required.
B Blocks is a plugin developed by bPlugins to extend the Gutenberg block editor in WordPress. It offers over 30 custom blocks and is used by hundreds of sites seeking enhanced layout and design options without heavy page builders. The plugin's popularity and integration with core WordPress registration flows make this vulnerability especially impactful for a broad segment of WordPress users.
Technical Information
CVE-2025-8059 is caused by a missing authorization check and improper input validation in the rgfr_registration function of the B Blocks plugin. This function is located in RegisterForm.php and is responsible for handling user registration form submissions provided by the plugin's registration block.
In all versions up to and including 2.0.6, the function does not verify whether the user submitting the registration request is authorized to assign privileged roles. Specifically, it allows the role parameter to be set in the registration request, and does not restrict this to non-administrative roles. As a result, an unauthenticated attacker can submit a registration form with the role parameter set to administrator. The function then creates a new user account with full admin privileges, bypassing all intended access controls.
The root cause is the absence of a call to WordPress's capability checking functions such as current_user_can before assigning the requested role. The plugin also does not sanitize or validate the incoming role parameter, allowing direct privilege escalation.
A public code reference is available at:
https://plugins.trac.wordpress.org/browser/b-blocks/trunk/includes/blocks/RegisterForm.php#L77
The vulnerability is classified as CWE-862 (Missing Authorization). The code path responsible for user creation does not implement any logic to restrict role assignment to authorized users only.
Affected Systems and Versions
- Product: B Blocks WordPress plugin
- Affected versions: All versions up to and including 2.0.6
- Vulnerable configuration: Any WordPress site with B Blocks plugin enabled and registration functionality exposed
Vendor Security History
bPlugins, the developer of B Blocks, has previously addressed security issues in this plugin family. Patchstack and Wordfence advisories list earlier vulnerabilities, including cross-site scripting flaws, which were patched in prior releases. The vendor has released updates in response to past disclosures, but the presence of a critical privilege escalation flaw in registration logic highlights ongoing challenges with secure implementation of user management features.