{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1857", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-03T19:00:13.022Z", "datePublished": "2026-02-18T06:42:40.144Z", "dateUpdated": "2026-04-08T16:44:27.779Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:27.779Z"}, "affected": [{"vendor": "stellarwp", "product": "Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts, campaigns, and mailing lists using the site's stored API credentials. The stored API key is also leaked in the request headers."}], "title": "Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'endpoint' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ea8d38a-f5ce-40dd-a015-f56d60579e05?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.5.32/includes/advanced-form/getresponse-rest-api.php#L77"}, {"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.5.32/includes/advanced-form/getresponse-rest-api.php#L57"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3454881%40kadence-blocks%2Ftrunk&old=3453204%40kadence-blocks%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ali S\u00fcnb\u00fcl"}], "timeline": [{"time": "2026-02-03T19:19:15.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T17:38:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T20:26:31.259507Z", "id": "CVE-2026-1857", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:26:38.417Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T20:26:31.259507Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:26:35.577Z"}}], "cna": {"title": "Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'endpoint' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Ali S\u00fcnb\u00fcl"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.6.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-03T19:19:15.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T17:38:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ea8d38a-f5ce-40dd-a015-f56d60579e05?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.5.32/includes/advanced-form/getresponse-rest-api.php#L77"}, {"url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.5.32/includes/advanced-form/getresponse-rest-api.php#L57"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3454881%40kadence-blocks%2Ftrunk&old=3453204%40kadence-blocks%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts, campaigns, and mailing lists using the site's stored API credentials. The stored API key is also leaked in the request headers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:27.779Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1857", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:27.779Z", "dateReserved": "2026-02-03T19:00:13.022Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T06:42:40.144Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts, campaigns, and mailing lists using the site's stored API credentials. The stored API key is also leaked in the request headers."}, {"lang": "es", "value": "El plugin Gutenberg Blocks con AI por Kadence WP para WordPress es vulnerable a falsificaci\u00f3n de petici\u00f3n del lado del servidor en todas las versiones hasta la 3.6.1, inclusive. Esto se debe a una validaci\u00f3n insuficiente del par\u00e1metro 'endpoint' en la funci\u00f3n 'get_items()' del manejador de la API REST de GetResponse. La comprobaci\u00f3n de permisos del endpoint solo requiere la capacidad 'edit_posts' (rol de Colaborador) en lugar de 'manage_options' (Administrador). Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador o superior, realicen peticiones del lado del servidor a endpoints arbitrarios en el servidor de la API de GetResponse configurado, recuperando datos sensibles como contactos, campa\u00f1as y listas de correo utilizando las credenciales de la API almacenadas en el sitio. La clave de API almacenada tambi\u00e9n se filtra en las cabeceras de la petici\u00f3n."}], "id": "CVE-2026-1857", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T07:16:09.907", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.5.32/includes/advanced-form/getresponse-rest-api.php#L57"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.5.32/includes/advanced-form/getresponse-rest-api.php#L77"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3454881%40kadence-blocks%2Ftrunk&old=3453204%40kadence-blocks%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2ea8d38a-f5ce-40dd-a015-f56d60579e05?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor", "source": "cna", "vendor": "stellarwp"}, "product": "kadence_blocks_\u2014_page_builder_toolkit_for_gutenberg_editor", "vendor": "stellarwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:24:34.871569+00:00", "value": {"mitigation_remediation": ["Upgrade the Kadence Blocks plugin to the latest version that addresses the endpoint validation flaw.", "Reconfigure the plugin or WordPress capabilities so that only administrators or dedicated privileged roles can use the GetResponse integration, removing the edit_posts requirement.", "Implement outbound request restrictions or firewall rules to limit the server to allowed domains, preventing the plugin from making arbitrary calls to external hosts."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Kadence Blocks \u2013 Page Builder Toolkit for Gutenberg Editor, in the Gutenberg Blocks with AI plugin for WordPress, all versions up to and including 3.6.1 are affected. No newer version is known to contain a fix in the supplied data.", "description_and_impact": "The Gutenberg Blocks with AI by Kadence WP plugin contains an insufficient validation of the endpoint parameter in the GetResponse REST API handler. Contributors and other authenticated users with the edit_posts capability can cause the server to request arbitrary URLs on the configured GetResponse API host, leaking the stored API key in request headers and exposing sensitive data such as contacts, campaigns, and mailing lists. The vulnerability does not provide arbitrary code execution but allows an attacker to obtain confidential information and a credential that may be usable in external services.", "risk_and_exploitability": "The CVSS score of 4.3 classifies the issue as moderate severity, and the EPSS score of less than 1% indicates a low likelihood of active exploitation at present. It is not listed in CISA\u2019s KEV catalog. Exploitation requires authenticated access at the Contributor level or higher and a WordPress instance with the vulnerable plugin installed. Attackers can target the GetResponse API, retrieve data, and leak credentials, but the risk of widespread compromise is limited to the scope of the site\u2019s data and any linked external services. No additional privileges or system-wide compromise are achievable through this flaw."}}}}, "created": "2026-02-18T10:32:40.528333+00:00", "updated": "2026-04-15T20:30:13.778089+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$kadence_blocks_\u2014_page_builder_toolkit_for_gutenberg_editor", "wordpress", "wordpress$PRODUCT$wordpress"]}