Skip to main content

Kadence Blocks CVE-2026-11357

| EUVDEUVD-2026-37843 MEDIUM
Information Exposure (CWE-200)
2026-06-18 Wordfence GHSA-g255-vwqv-qh7v
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Contributor authentication (PR:L) is mandatory; exposure is client-side credential read-only with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 06:19 vuln.today
CVE Published
Jun 18, 2026 - 04:31 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Kadence Blocks - Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editor_assets_variables. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's connected Kadence account license key, license owner email, api_key, api_email, and license domain from the browser console by inspecting window.kadence_blocks_params.proData. Exploitation requires only that an administrator has previously connected a valid Kadence license; the full credential bundle is then readable by any Contributor-level user from the block editor client context without any server-side request manipulation.

AnalysisAI

Sensitive information exposure in Kadence Blocks (WordPress plugin) versions up to and including 3.7.5 allows authenticated contributors to read the site's Kadence license key, license owner email, api_key, api_email, and license domain directly from the browser console via the JavaScript global window.kadence_blocks_params.proData. The credentials are serialized client-side through the editor_assets_variables mechanism and require no server-side manipulation to extract. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor-level WordPress credentials
Delivery
Authenticate to WordPress admin panel
Exploit
Open block editor on any post or page
Execution
Open browser developer console
Persist
Query window.kadence_blocks_params.proData
Impact
Extract license key, api_key, and owner email

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the attacker holds an authenticated WordPress account at Contributor level or higher - unauthenticated exploitation is not possible; (2) an administrator has previously connected a valid Kadence Pro license to the site, populating the stored credential options that the plugin serializes; (3) the attacker has access to the WordPress block editor, which Contributor-level users have by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects the moderate severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor who holds a Contributor account on the target WordPress site - obtained via registration, credential stuffing, or social engineering - logs into the WordPress admin panel, opens the block editor on any post or page, and opens the browser developer console. The attacker types window.kadence_blocks_params.proData and immediately receives the full license key, api_key, owner email, and registered domain in plaintext. …
Remediation An upstream fix has been committed to the Kadence Blocks repository per Trac changeset 3569191 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3569191%40kadence-blocks&new=3569191%40kadence-blocks); however, a specific released patched version number is not confirmed from the available input data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy