CVE-2026-2826 in Kadence Blocks Plugin
Sumário (Inglês)
The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user has the `upload_files` capability in the `process_pattern` REST API endpoint. This makes it possible for authenticated attackers, with contributor level access and above, to upload images to the WordPress Media Library by supplying remote image URLs that the server downloads and creates as media attachments.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Responsável
Wordfence
Reservar
19/02/2026
Divulgação
04/04/2026
Estado
Confirmado
Inscrições
VulDB provides additional information and datapoints for this CVE:
| ID | Vulnerabilidade | CWE | Exp | Con | CVE |
|---|---|---|---|---|---|
| 355307 | stellarwp Kadence Blocks Plugin REST API process_pattern upload_files Elevação de Privilégios | 862 | Não definido | Correção oficial | CVE-2026-2826 |
Descrição
CPE
CWE
CVSS
Explorações
História
Diferença
Relacionar
Inteligência de ameaças
API JSON
API XML
API CSV