{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2028", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T21:46:52.497Z", "datePublished": "2026-04-24T03:27:06.728Z", "dateUpdated": "2026-04-24T13:59:29.795Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T03:27:06.728Z"}, "affected": [{"vendor": "ckp267", "product": "MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators."}], "title": "Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f50c31df-56d0-4c34-a93c-56198fe91b36?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/trunk/core/class-maxi-image-crop.php#L44"}, {"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.7/core/class-maxi-image-crop.php#L44"}, {"url": "https://github.com/maxi-blocks/maxi-blocks/commit/3dff1db57bfb4e6c14fa7fd42037178d1d0ce199"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3476709%40maxi-blocks&new=3476709%40maxi-blocks&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset/3476709/maxi-blocks/trunk/core/class-maxi-image-crop.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}], "timeline": [{"time": "2026-04-16T10:47:43.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-23T14:43:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T13:58:56.361470Z", "id": "CVE-2026-2028", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T13:59:29.795Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2028", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T13:58:56.361470Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T13:59:05.993Z"}}], "cna": {"title": "Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ckp267", "product": "MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-16T10:47:43.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-23T14:43:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f50c31df-56d0-4c34-a93c-56198fe91b36?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/trunk/core/class-maxi-image-crop.php#L44"}, {"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.7/core/class-maxi-image-crop.php#L44"}, {"url": "https://github.com/maxi-blocks/maxi-blocks/commit/3dff1db57bfb4e6c14fa7fd42037178d1d0ce199"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3476709%40maxi-blocks&new=3476709%40maxi-blocks&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset/3476709/maxi-blocks/trunk/core/class-maxi-image-crop.php"}], "descriptions": [{"lang": "en", "value": "The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T03:27:06.728Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2028", "state": "PUBLISHED", "dateUpdated": "2026-04-24T13:59:29.795Z", "dateReserved": "2026-02-05T21:46:52.497Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-24T03:27:06.728Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators."}], "id": "CVE-2026-2028", "lastModified": "2026-04-24T14:38:26.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-24T04:16:09.360", "references": [{"source": "security@wordfence.com", "url": "https://github.com/maxi-blocks/maxi-blocks/commit/3dff1db57bfb4e6c14fa7fd42037178d1d0ce199"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.7/core/class-maxi-image-crop.php#L44"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/trunk/core/class-maxi-image-crop.php#L44"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3476709/maxi-blocks/trunk/core/class-maxi-image-crop.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3476709%40maxi-blocks&new=3476709%40maxi-blocks&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f50c31df-56d0-4c34-a93c-56198fe91b36?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.1.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites", "source": "cna", "vendor": "ckp267"}, "product": "maxiblocks_builder", "vendor": "ckp267"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T14:24:46.467447+00:00", "value": {"mitigation_remediation": ["Update the MaxiBlocks Builder plugin to the latest released version where this issue is resolved.", "If an upgrade is not immediately possible, remove or disable the maxi_remove_custom_image_size AJAX endpoint to block the deletion action.", "Revoke Author and higher roles from the capability to delete media or configure role permissions to restrict media deletions."], "summary": {"action": "Apply Patch", "impact": "Arbitrary media file deletion"}, "threat_synthesis": {"affected_systems": "All installations of the MaxiBlocks Builder plugin for WordPress up to and including version 2.1.8 are affected. The issue is present in every release through 2.1.8; any site still using those releases is susceptible.", "description_and_impact": "The MaxiBlocks Builder plugin for WordPress has an insufficient file ownership check on the maxi_remove_custom_image_size AJAX action. This flaw allows an authenticated user with Author level or higher to delete any file in the wp-content/uploads directory, including those uploaded by other users and administrators. The deletion removes critical media assets, potentially disrupting site functionality and compromising content integrity. The weakness is categorized as CWE\u2011639, which is an authorized access vulnerability.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated User with Author role or higher, so an attacker must first obtain a user account with sufficient permissions before deleting files. The attacker can target any media file without needing additional privileges, making the impact widespread for sites with many Uploads."}}}}, "created": "2026-04-28T09:25:21.471647+00:00", "updated": "2026-04-28T14:30:33.762810+00:00", "vendors": ["ckp267", "ckp267$PRODUCT$maxiblocks_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}