Skip to main content

B Blocks CVE-2026-39579

| EUVDEUVD-2026-36965 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-15 Patchstack GHSA-c797-w9mm-hhvj
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoints (AV:N), no exploit trickery (AC:L), requires a contributor account (PR:L), no victim interaction (UI:N), and privilege escalation to admin yields full CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:17 vuln.today

DescriptionCVE.org

Contributor Privilege Escalation in B Blocks <= 2.0.31 versions.

AnalysisAI

Privilege escalation in the B Blocks WordPress plugin through version 2.0.31 allows authenticated users with Contributor-level access to elevate their privileges on the affected site. Reported by Patchstack and tracked as EUVD-2026-36965, the issue carries a CVSS 3.1 score of 8.8 reflecting full confidentiality, integrity, and availability impact once a low-privileged WordPress account is obtained. No public exploit identified at time of analysis, but the low attack complexity and lack of required user interaction make weaponization straightforward once an exploitation primitive is published.

Technical ContextAI

B Blocks (vendor bplugins, CPE cpe:2.3:a:bplugins:b_blocks) is a Gutenberg block-library plugin for WordPress that extends the editor with additional blocks usable by authors and contributors. The root cause is mapped to CWE-266 (Incorrect Privilege Assignment), meaning the plugin grants a user a privilege or capability they should not possess - typically because a plugin endpoint, block render callback, or REST/AJAX handler relies on a permission check that accepts the contributor role (or omits a capability check such as edit_others_posts or manage_options) when performing a privileged action. In WordPress, contributor accounts are intentionally restricted from publishing, editing others' content, or administering the site, so any logic flaw that lets that role write to elevated objects effectively becomes a path to administrator-equivalent control.

RemediationAI

Upstream fix available per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/b-blocks/vulnerability/wordpress-b-blocks-plugin-2-0-31-privilege-escalation-vulnerability; a released patched version is not independently confirmed in the supplied data, so administrators should update B Blocks to the latest release published after 2.0.31 via the WordPress plugin dashboard and verify the installed version is greater than 2.0.31. If an immediate update is not possible, compensating controls are to deactivate the B Blocks plugin (trade-off: any blocks it provides will render as broken in existing posts), tighten contributor onboarding by auditing and removing unneeded contributor/author accounts and forcing password resets, and place the wp-admin and wp-json endpoints behind a WAF or IP allowlist for editorial staff (trade-off: blocks legitimate remote contributors). Monitor user_meta and the wp_users/wp_usermeta tables for unexpected role or capability changes and review recently created administrator accounts as a detection backstop.

Share

CVE-2026-39579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy