Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files).
AnalysisAI
WP Blockade WordPress plugin versions up to 0.9.14 allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress shortcodes due to missing authorization checks and nonce verification in the render_shortcode_preview() function. An attacker can supply malicious shortcodes via the 'wp-blockade-shortcode-render' admin_post action to achieve information disclosure, privilege escalation, or arbitrary actions depending on registered shortcodes. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
The vulnerability exists in the WP Blockade - Visual Page Builder plugin (CPE: cpe:2.3:a:burlingtonbytes:wp_blockade_-_visual_page_builder:*:*:*:*:*:*:*:*) and stems from improper implementation of WordPress security controls. The vulnerable render_shortcode_preview() function is registered to the admin_post action hook 'wp-blockade-shortcode-render' without capability checks (missing current_user_can() calls) or nonce verification. The function accepts a 'shortcode' parameter from the $_GET superglobal, applies only stripslashes() for processing, and directly passes it to WordPress's do_shortcode() function for execution. This violates CWE-862 (Missing Authorization) because the action handler performs a sensitive operation-shortcode execution-without verifying the user has appropriate permissions. Since shortcodes registered by other plugins can perform actions, access sensitive data, include files, or manipulate site content, an authenticated attacker can leverage installed shortcodes to escalate privileges or extract information.
RemediationAI
The primary remediation is to update the WP Blockade plugin to a patched version released after 0.9.14. WordPress administrators should disable or remove the plugin immediately if a patch is not available, as no vendor-released patch version has been confirmed in the provided data. The fix requires the plugin developers to add nonce verification and appropriate capability checks (current_user_can() calls) to the render_shortcode_preview() function before executing do_shortcode(). A temporary workaround for sites unable to update immediately is to restrict Subscriber-level access or disable the plugin via the WordPress admin dashboard until a security update is released. For more information, refer to the plugin repository at https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php and the Wordfence vulnerability advisory.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20103
GHSA-3q32-77vq-vq6v