Skip to main content

Kadence Blocks EUVDEUVD-2026-40895

| CVE-2026-12902 MEDIUM
Missing Authorization (CWE-862)
2026-07-01 Wordfence GHSA-cpmr-m3wg-cf9c
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Contributor account required (PR:L); network-delivered with no complexity; integrity-only impact via unauthorized Media Library write; no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:30 vuln.today
CVE Published
Jul 01, 2026 - 03:43 nvd
MEDIUM 4.3

DescriptionCVE.org

The Kadence Blocks - Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create arbitrary Media Library attachments by downloading remote images to the site's uploads directory via wp_upload_bits() and wp_insert_attachment(), bypassing the upload_files capability boundary.

AnalysisAI

Authorization bypass in the Kadence Blocks WordPress plugin (all versions through 3.7.7) allows authenticated contributors to create arbitrary Media Library attachments by fetching remote images via internal WordPress functions, bypassing the upload_files capability boundary. The flaw resides in class-kadence-blocks-prebuilt-library.php at multiple call sites where wp_upload_bits() and wp_insert_attachment() are invoked without verifying the requesting user's authorization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor WordPress account
Delivery
Identify Kadence Blocks prebuilt-library AJAX action
Exploit
Craft request with attacker-controlled remote image URL
Execution
Server fetches remote image via wp_upload_bits() bypassing capability check
Impact
Attachment inserted into Media Library via wp_insert_attachment()

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account with at minimum contributor-level role on the target installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.3 (Medium) reflects AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - network-reachable, low-complexity, low-privilege exploitation with a limited integrity impact and no confidentiality or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains a contributor-level WordPress account on a target site sends a crafted AJAX request to the Kadence Blocks prebuilt-library endpoint, supplying an attacker-controlled remote image URL. Because the handler invokes wp_upload_bits() and wp_insert_attachment() without a capability check, the remote image is downloaded to the site's uploads directory and registered in the Media Library - actions that should require the upload_files capability the contributor does not possess. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the WordPress.org changeset 3590217 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590217%40kadence-blocks&new=3590217%40kadence-blocks) reflects the corrective code change, but an explicit fixed release version was not provided in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy