{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2608", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-16T22:23:22.829Z", "datePublished": "2026-02-17T11:20:37.133Z", "dateUpdated": "2026-04-08T16:33:30.973Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:30.973Z"}, "affected": [{"vendor": "stellarwp", "product": "Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.32", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action."}], "title": "Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05dd1686-76e3-498b-80b8-c4befc545fc8?source=cve"}, {"url": "https://vdp.patchstack.com/database/wordpress/plugin/kadence-blocks/vulnerability/wordpress-gutenberg-blocks-with-ai-by-kadence-wp-plugin-3-5-32-incorrect-authorization-to-authenticated-contributor-post-publication-vulnerability"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/kadence-blocks/tags/3.5.32&new_path=/kadence-blocks/tags/3.6.0&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2026-02-16T22:38:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-11T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T14:28:09.887675Z", "id": "CVE-2026-2608", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:28:19.816Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2608", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T14:28:09.887675Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:28:16.368Z"}}], "cna": {"title": "Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.5.32"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-16T22:38:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-11T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05dd1686-76e3-498b-80b8-c4befc545fc8?source=cve"}, {"url": "https://vdp.patchstack.com/database/wordpress/plugin/kadence-blocks/vulnerability/wordpress-gutenberg-blocks-with-ai-by-kadence-wp-plugin-3-5-32-incorrect-authorization-to-authenticated-contributor-post-publication-vulnerability"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/kadence-blocks/tags/3.5.32&new_path=/kadence-blocks/tags/3.6.0&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-17T11:20:37.133Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2608", "state": "PUBLISHED", "dateUpdated": "2026-02-17T14:28:19.816Z", "dateReserved": "2026-02-16T22:23:22.829Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-17T11:20:37.133Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action."}, {"lang": "es", "value": "El plugin Kadence Blocks \u2014 Page Builder Toolkit para el Editor Gutenberg para WordPress es vulnerable a acceso no autorizado debido a una comprobaci\u00f3n de capacidad faltante en una funci\u00f3n en todas las versiones hasta la 3.5.32, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, realicen una acci\u00f3n no autorizada."}], "id": "CVE-2026-2608", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-17T12:16:15.600", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/kadence-blocks/tags/3.5.32&new_path=/kadence-blocks/tags/3.6.0&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://vdp.patchstack.com/database/wordpress/plugin/kadence-blocks/vulnerability/wordpress-gutenberg-blocks-with-ai-by-kadence-wp-plugin-3-5-32-incorrect-authorization-to-authenticated-contributor-post-publication-vulnerability"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05dd1686-76e3-498b-80b8-c4befc545fc8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.32]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor", "source": "cna", "vendor": "stellarwp"}, "product": "kadence_blocks_\u2014_page_builder_toolkit_for_gutenberg_editor", "vendor": "stellarwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:25:51.789263+00:00", "value": {"mitigation_remediation": ["Upgrade Kadence Blocks to version 3.6.0 or later to apply the missing capability check.", "If an upgrade is not immediately possible, reduce contributor role capabilities or remove contributor access from users who do not need it.", "Monitor the site for anomalous block creation or modification activity and audit contributor actions after the fix."], "summary": {"action": "Patch", "impact": "Privilege Escalation through Missing Authorization"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Kadence Blocks plugin version 3.5.32 or older. The vulnerability applies to all releases up to and including 3.5.32; newer releases beyond 3.5.32 are not affected. The plugin is distributed by StellarWP under the name Kadence Blocks, a toolkit for building Gutenberg blocks.", "description_and_impact": "The Kadence Blocks \u2014 Page Builder Toolkit for Gutenberg Editor plugin for WordPress is affected by a missing capability check inside a specific function. Authenticated attackers who hold a Contributor role or higher can perform an action that the system should restrict, effectively bypassing intended permission controls. This flaw allows attackers to elevate privileges or execute unintended operations, compromising the integrity of the site\u2019s content and potentially exposing sensitive data.", "risk_and_exploitability": "The CVSS base score of 4.3 places the flaw in the moderate range, indicating that the attack requires valid credentials and no complex exploitation steps. The EPSS score of less than 1% suggests that exploitation in the wild is unlikely, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a direct use of the WordPress administrative interface by a user with contributor\u2011level access or higher; no remote network exploitation is indicated. Because the flaw is purely an authorization omission, an attacker who can authenticate as a contributor can exploit it immediately after login. Assess the exposure of contributor accounts as a priority."}}}}, "created": "2026-02-18T10:44:03.425734+00:00", "updated": "2026-04-15T20:30:13.780408+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$kadence_blocks_\u2014_page_builder_toolkit_for_gutenberg_editor", "wordpress", "wordpress$PRODUCT$wordpress"]}