CVE-2026-13756 in WP Grid Builder Plugininfo

Summary

by MITRE • 07/11/2026

The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. This is due to missing authorization and meta key validation in the `update()` handler for the `/wp-json/wpgb/v2/metadata` REST endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator by updating their own `wp_capabilities` user meta with a crafted nested array payload.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/11/2026

The WP Grid Builder plugin presents a critical privilege escalation vulnerability affecting all versions up to and including 233 which stems from inadequate authorization controls and meta key validation within its REST API implementation. This flaw exists specifically within the update handler for the /wp-json/wpgb/v2/metadata endpoint where the plugin fails to properly validate user permissions or sanitize metadata updates before processing them. The vulnerability allows authenticated attackers who possess Subscriber-level access or higher to manipulate their own user capabilities through crafted requests that target the wp_capabilities meta key.

The technical execution of this privilege escalation relies on the absence of proper input validation mechanisms that should normally prevent unauthorized modification of critical user metadata. When an authenticated user sends a specially crafted payload to the vulnerable endpoint, the plugin accepts the update without verifying whether the requesting user has sufficient privileges to modify capabilities or whether the target meta key is protected from direct manipulation. This missing validation creates an attack vector where malicious users can inject nested array payloads that alter their own wp_capabilities field to include administrator-level permissions.

The operational impact of this vulnerability extends beyond simple privilege escalation as it provides attackers with complete administrative control over affected WordPress installations. Once elevated to administrator status, compromised users gain access to all plugin features, theme customization options, user management capabilities, and the ability to install or modify arbitrary code. This makes the vulnerability particularly dangerous in multi-user environments where subscribers might have legitimate access to the system but should not possess administrative privileges.

Security mitigation strategies must address both immediate patching requirements and architectural improvements to prevent similar issues in future implementations. Organizations should immediately update to version 234 or later where the authorization checks have been properly implemented, along with conducting thorough security audits of all REST API endpoints within WordPress installations. The vulnerability aligns with CWE-285 which addresses insufficient authorization and also maps to ATT&CK technique T1078 which covers valid accounts and privilege escalation through administrative access. Additionally this issue demonstrates poor input validation practices that should be addressed through comprehensive sanitization routines and proper capability checks before any metadata modifications are processed.

Responsible

Wordfence

Reservation

06/29/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!