Skip to main content

Kadence Blocks EUVDEUVD-2026-40890

| CVE-2026-12904 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-01 Wordfence GHSA-pjfr-44xr-rrw5
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L reflects required Contributor authentication; C:L corrects NVD's C:N since reading others' optimizer records is a confidentiality breach.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:30 vuln.today
CVE Published
Jul 01, 2026 - 03:43 nvd
MEDIUM 4.3

DescriptionCVE.org

The Kadence Blocks - Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.7.7. This is due to a mismatch between the object used for authorization and the object actually accessed in the Optimize_Rest_Controller's create_item(), get_item(), delete_item(), and bulk_delete_items() endpoints - authorization is checked via current_user_can('edit_post'/'delete_post', $post_id) against the user-supplied post_id, while the storage layer keys analysis records on sha256($post_path) from a separately supplied, attacker-controlled post_path parameter, with no enforcement that post_path corresponds to post_id. This makes it possible for authenticated attackers, with Contributor-level access and above, to read or delete optimizer analysis records belonging to posts owned by other users by submitting their own post_id (which passes the capability check) together with the victim post's path.

AnalysisAI

Kadence Blocks WordPress plugin versions up to and including 3.7.7 allows authenticated Contributor-level users to read or delete optimizer analysis records belonging to posts they do not own, by exploiting a parameter mismatch in four REST API endpoints of the Optimize_Rest_Controller. The authorization check binds to a user-supplied post_id while the storage layer retrieves records by sha256 of a separately supplied, attacker-controlled post_path, with no enforcement that these two parameters refer to the same post. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress Contributor
Delivery
Enumerate or infer victim post URL path
Exploit
Craft REST API request with attacker's own post_id
Execution
Set post_path to victim post's path
Persist
Bypass authorization check via post_id mismatch
Impact
Read or delete victim's optimizer analysis record

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at least Contributor role, which grants the edit_post capability that passes the authorization check. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official NVD CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) rates this as Medium but contains a notable discrepancy: the vector encodes C:N (no confidentiality impact), yet the vulnerability description explicitly states that attackers can read optimizer analysis records belonging to other users' posts - a clear confidentiality breach. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a legitimate Contributor account on the target WordPress site authenticates and obtains a valid nonce, then calls the Optimize_Rest_Controller REST endpoint (e.g., get_item or delete_item) passing their own post_id - a post they authored and can edit - while setting the post_path parameter to the URL path of a victim post (e.g., /2026/01/confidential-draft/). The capability check passes because post_id is legitimately theirs, but the storage layer retrieves or deletes the optimizer record keyed on sha256 of the victim's path. …
Remediation No specific patched release version is confirmed in the available input data; users should update Kadence Blocks to the latest version available beyond 3.7.7 and verify the fix is present by consulting the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/24cdd50f-742c-457c-85f7-9cccaf366e87?source=cve. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy