Skip to main content

aBlocks EUVDEUVD-2026-43456

| CVE-2026-57386 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-07-13 Patchstack
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable authenticated action needing only a low-privilege account (PR:L, AC:L, UI:N); privilege escalation to admin yields full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:02 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 8.8

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Kodezen LLC aBlocks ablocks allows Privilege Escalation.This issue affects aBlocks: from n/a through < 2.9.1.

AnalysisAI

Privilege escalation in the aBlocks WordPress plugin (Kodezen LLC) through version 2.9.1 allows an authenticated low-privileged user to elevate their permissions due to incorrect privilege assignment. With a CVSS of 8.8 (AV:N/AC:L/PR:L), a subscriber- or contributor-level account can gain elevated capabilities remotely over the network. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Delivery
Send crafted request to aBlocks endpoint
Exploit
Trigger incorrect privilege assignment
Execution
Escalate to administrator capabilities
Impact
Full site compromise

Vulnerability AssessmentAI

Exploitation Requires an authenticated account on the target WordPress site (CVSS PR:L), so the attacker must already hold at least a low-privilege role such as subscriber or contributor - commonly obtainable where open registration is enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8) indicates a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high impact across confidentiality, integrity, and availability - consistent with full site compromise once a foothold account exists. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege account (e.g., subscriber or contributor) on a WordPress site running a vulnerable aBlocks version, then sends a crafted request to the plugin's privilege-assignment functionality to grant their own account administrator-level capabilities. Given AV:N/AC:L/UI:N, this requires no victim interaction and low effort; no public POC has been identified at time of analysis.
Remediation Vendor-released patch: aBlocks 2.9.1 - upgrade the plugin to version 2.9.1 or later, which is the primary and definitive fix per the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ablocks/vulnerability/wordpress-ablocks-plugin-2-9-1-privilege-escalation-vulnerability?_s_id=cve). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations for aBlocks plugin presence and version; identify and review all subscriber and contributor-level accounts with recent activity or suspicious behavior. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43456 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy