CVE-2026-15286 in Kadence Blocks Plugininfo

Summary

by MITRE • 07/10/2026

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'get_items_permission_check' function permission callback of the 'process_pattern' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and immediately publish posts of any type (including pages), bypassing the standard WordPress review workflow where contributors must submit posts for administrator approval.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in the Gutenberg Blocks with AI by Kadence WP plugin represents a critical authorization flaw that undermines WordPress's core permission model. This issue affects all versions up to and including 3.5.32, creating a significant security risk for WordPress sites that utilize this popular page builder plugin. The misconfiguration occurs within the REST API endpoint's permission callback mechanism, specifically in the 'get_items_permission_check' function which governs access to the 'process_pattern' endpoint. This flaw allows attackers with Contributor-level privileges or higher to exploit the system and publish content directly without proper review processes.

The technical implementation of this vulnerability stems from an insufficient capability check within the plugin's REST API framework. When authenticated users with Contributor-level access attempt to interact with the process_pattern endpoint, the permission validation logic fails to properly verify whether the user possesses the necessary administrative privileges required for publishing posts. This misconfiguration creates a direct pathway for privilege escalation where users who should be restricted from immediate publication can bypass standard workflow controls that typically require administrator approval for content created by contributors.

The operational impact of this vulnerability extends beyond simple unauthorized publishing capabilities and represents a fundamental breach in WordPress's role-based access control system. Contributors, who by default should only be able to submit posts for review, can now immediately publish any type of content including pages, posts, or custom post types. This bypasses the entire editorial workflow that WordPress provides, potentially allowing malicious actors to inject spam content, malware, or inappropriate material directly into published sites. The implications are particularly severe in multi-user environments where contributors may not be trusted with immediate publishing privileges.

Security professionals should recognize this vulnerability as a clear example of improper access control mechanisms that align with CWE-285 (Improper Authorization) and could map to ATT&CK technique T1078 (Valid Accounts) through the exploitation of legitimate contributor accounts. The attack vector requires minimal privileges and provides significant impact, making it particularly dangerous in environments where contributor accounts are frequently used or where account compromise is possible. Organizations should immediately implement mitigations including plugin updates to versions that address this specific authorization flaw, along with monitoring for unauthorized publishing activities.

The remediation approach involves updating to the latest version of the Kadence WP plugin where the capability check has been properly implemented and validated. Additionally, administrators should review user roles and capabilities within their WordPress installations to ensure that Contributor-level accounts do not possess unintended publishing privileges. Regular security audits of WordPress plugins should include verification of REST API endpoint permissions and capability checks to prevent similar issues from occurring in other third-party components. Organizations operating in high-security environments may also consider implementing additional monitoring solutions that track unusual publishing activities or unauthorized content creation patterns.

This vulnerability demonstrates the importance of proper permission validation in web applications and highlights how seemingly minor authorization flaws can lead to significant security implications. The issue serves as a reminder that even trusted plugins can contain critical security vulnerabilities that require ongoing vigilance and proactive security measures from WordPress administrators. Regular updates, comprehensive security testing, and adherence to security best practices remain essential defenses against such exploitation vectors in the WordPress ecosystem.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!