Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable WordPress endpoints (AV:N), no exploit trickery (AC:L), requires a contributor account (PR:L), no victim interaction (UI:N), and privilege escalation to admin yields full CIA impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Contributor Privilege Escalation in B Blocks <= 2.0.31 versions.
AnalysisAI
Privilege escalation in the B Blocks WordPress plugin through version 2.0.31 allows authenticated users with Contributor-level access to elevate their privileges on the affected site. Reported by Patchstack and tracked as EUVD-2026-36965, the issue carries a CVSS 3.1 score of 8.8 reflecting full confidentiality, integrity, and availability impact once a low-privileged WordPress account is obtained. No public exploit identified at time of analysis, but the low attack complexity and lack of required user interaction make weaponization straightforward once an exploitation primitive is published.
Technical ContextAI
B Blocks (vendor bplugins, CPE cpe:2.3:a:bplugins:b_blocks) is a Gutenberg block-library plugin for WordPress that extends the editor with additional blocks usable by authors and contributors. The root cause is mapped to CWE-266 (Incorrect Privilege Assignment), meaning the plugin grants a user a privilege or capability they should not possess - typically because a plugin endpoint, block render callback, or REST/AJAX handler relies on a permission check that accepts the contributor role (or omits a capability check such as edit_others_posts or manage_options) when performing a privileged action. In WordPress, contributor accounts are intentionally restricted from publishing, editing others' content, or administering the site, so any logic flaw that lets that role write to elevated objects effectively becomes a path to administrator-equivalent control.
RemediationAI
Upstream fix available per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/b-blocks/vulnerability/wordpress-b-blocks-plugin-2-0-31-privilege-escalation-vulnerability; a released patched version is not independently confirmed in the supplied data, so administrators should update B Blocks to the latest release published after 2.0.31 via the WordPress plugin dashboard and verify the installed version is greater than 2.0.31. If an immediate update is not possible, compensating controls are to deactivate the B Blocks plugin (trade-off: any blocks it provides will render as broken in existing posts), tighten contributor onboarding by auditing and removing unneeded contributor/author accounts and forcing password resets, and place the wp-admin and wp-json endpoints behind a WAF or IP allowlist for editorial staff (trade-off: blocks legitimate remote contributors). Monitor user_meta and the wp_users/wp_usermeta tables for unexpected role or capability changes and review recently created administrator accounts as a detection backstop.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36965
GHSA-c797-w9mm-hhvj