CVE-2026-1857 in Gutenberg Blocks with AI by Kadence WP Plugininformação

Sumário

de MITRE • 18/02/2026

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts, campaigns, and mailing lists using the site's stored API credentials. The stored API key is also leaked in the request headers.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Divulgação

18/02/2026

Moderação

aceite

Entrada

VDB-346390

CPE

pronto

CWE

CWE-918 (confirmado)

CVSS

4.3 (CNA)

EPSS

0.00013

KEV

não

Atividades

muito baixo

Sector

Hostingprovider

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-1857
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-1857
CVE Details	https://www.cvedetails.com/cve/CVE-2026-1857/

◂ Voltar Visão Geral Próximo ▸

Might our Artificial Intelligence support you?

Check our Alexa App!