Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
PR:L reflects required Contributor authentication; C:L corrects NVD's C:N since reading others' optimizer records is a confidentiality breach.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Kadence Blocks - Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.7.7. This is due to a mismatch between the object used for authorization and the object actually accessed in the Optimize_Rest_Controller's create_item(), get_item(), delete_item(), and bulk_delete_items() endpoints - authorization is checked via current_user_can('edit_post'/'delete_post', $post_id) against the user-supplied post_id, while the storage layer keys analysis records on sha256($post_path) from a separately supplied, attacker-controlled post_path parameter, with no enforcement that post_path corresponds to post_id. This makes it possible for authenticated attackers, with Contributor-level access and above, to read or delete optimizer analysis records belonging to posts owned by other users by submitting their own post_id (which passes the capability check) together with the victim post's path.
AnalysisAI
Kadence Blocks WordPress plugin versions up to and including 3.7.7 allows authenticated Contributor-level users to read or delete optimizer analysis records belonging to posts they do not own, by exploiting a parameter mismatch in four REST API endpoints of the Optimize_Rest_Controller. The authorization check binds to a user-supplied post_id while the storage layer retrieves records by sha256 of a separately supplied, attacker-controlled post_path, with no enforcement that these two parameters refer to the same post. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with at least Contributor role, which grants the edit_post capability that passes the authorization check. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official NVD CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) rates this as Medium but contains a notable discrepancy: the vector encodes C:N (no confidentiality impact), yet the vulnerability description explicitly states that attackers can read optimizer analysis records belonging to other users' posts - a clear confidentiality breach. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a legitimate Contributor account on the target WordPress site authenticates and obtains a valid nonce, then calls the Optimize_Rest_Controller REST endpoint (e.g., get_item or delete_item) passing their own post_id - a post they authored and can edit - while setting the post_path parameter to the URL path of a victim post (e.g., /2026/01/confidential-draft/). The capability check passes because post_id is legitimately theirs, but the storage layer retrieves or deletes the optimizer record keyed on sha256 of the victim's path. … |
| Remediation | No specific patched release version is confirmed in the available input data; users should update Kadence Blocks to the latest version available beyond 3.7.7 and verify the fix is present by consulting the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/24cdd50f-742c-457c-85f7-9cccaf366e87?source=cve. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authorization bypass in the Kadence Blocks WordPress plugin (all versions through 3.7.7) allows authenticated contributo
Sensitive information exposure in Kadence Blocks (WordPress plugin) versions up to and including 3.7.5 allows authentica
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40890
GHSA-pjfr-44xr-rrw5