Skip to main content

WordPress EUVDEUVD-2026-20103

| CVE-2026-3480 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Wordfence GHSA-3q32-77vq-vq6v
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 07:00 euvd
EUVD-2026-20103
Analysis Generated
Apr 08, 2026 - 07:00 vuln.today
CVE Published
Apr 08, 2026 - 06:43 nvd
MEDIUM 6.5

DescriptionCVE.org

The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files).

AnalysisAI

WP Blockade WordPress plugin versions up to 0.9.14 allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress shortcodes due to missing authorization checks and nonce verification in the render_shortcode_preview() function. An attacker can supply malicious shortcodes via the 'wp-blockade-shortcode-render' admin_post action to achieve information disclosure, privilege escalation, or arbitrary actions depending on registered shortcodes. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability exists in the WP Blockade - Visual Page Builder plugin (CPE: cpe:2.3:a:burlingtonbytes:wp_blockade_-_visual_page_builder:*:*:*:*:*:*:*:*) and stems from improper implementation of WordPress security controls. The vulnerable render_shortcode_preview() function is registered to the admin_post action hook 'wp-blockade-shortcode-render' without capability checks (missing current_user_can() calls) or nonce verification. The function accepts a 'shortcode' parameter from the $_GET superglobal, applies only stripslashes() for processing, and directly passes it to WordPress's do_shortcode() function for execution. This violates CWE-862 (Missing Authorization) because the action handler performs a sensitive operation-shortcode execution-without verifying the user has appropriate permissions. Since shortcodes registered by other plugins can perform actions, access sensitive data, include files, or manipulate site content, an authenticated attacker can leverage installed shortcodes to escalate privileges or extract information.

RemediationAI

The primary remediation is to update the WP Blockade plugin to a patched version released after 0.9.14. WordPress administrators should disable or remove the plugin immediately if a patch is not available, as no vendor-released patch version has been confirmed in the provided data. The fix requires the plugin developers to add nonce verification and appropriate capability checks (current_user_can() calls) to the render_shortcode_preview() function before executing do_shortcode(). A temporary workaround for sites unable to update immediately is to restrict Subscriber-level access or disable the plugin via the WordPress admin dashboard until a security update is released. For more information, refer to the plugin repository at https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php and the Wordfence vulnerability advisory.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-20103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy