CVE-2026-2826 in Kadence Blocks Plugin
要約 (英語)
The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user has the `upload_files` capability in the `process_pattern` REST API endpoint. This makes it possible for authenticated attackers, with contributor level access and above, to upload images to the WordPress Media Library by supplying remote image URLs that the server downloads and creates as media attachments.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
責任者
Wordfence
予約する
2026年02月19日
公開
2026年04月04日
ステータス
確認済み
エントリ
VulDB provides additional information and datapoints for this CVE:
| 識別子 | 脆弱性 | CWE | 悪用可 | 対策 | CVE |
|---|---|---|---|---|---|
| 355307 | stellarwp Kadence Blocks Plugin REST API process_pattern upload_files 特権昇格 | 862 | 未定義 | 公式な修正 | CVE-2026-2826 |