WP-Safety
CVE-2026-2608

Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.6.0
Patched in
6d
Time to patch

Description

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.5.32
PublishedFebruary 11, 2026
Last updatedFebruary 17, 2026
Affected pluginkadence-blocks

Source Code

WordPress.org SVN
Vulnerable v3.5.32
Browse source Download .zip
Patched v3.6.0
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the technical steps to verify and exploit **CVE-2026-2608**, a Missing Authorization vulnerability in the **Kadence Blocks** plugin (versions <= 3.5.32). --- ### 1. Vulnerability Summary The **Kadence Blocks** plugin registers several REST API endpoints to manage block …

Show full research plan

This research plan outlines the technical steps to verify and exploit CVE-2026-2608, a Missing Authorization vulnerability in the Kadence Blocks plugin (versions <= 3.5.32).

1. Vulnerability Summary

The Kadence Blocks plugin registers several REST API endpoints to manage block settings, global styles, and AI-powered layout features. In affected versions, one or more of these endpoints uses an insufficiently restrictive permission_callback. Instead of requiring administrative capabilities (like manage_options), the endpoint only checks for the edit_posts capability. This allows Contributor-level users (who possess edit_posts) to perform administrative actions, such as modifying global plugin settings or site-wide block defaults.

2. Attack Vector Analysis

  • Endpoint: /wp-json/kadence-blocks/v1/settings (inferred based on plugin architecture and patch history).
  • HTTP Method: POST
  • Authentication: Required (Contributor level or higher).
  • Vulnerable Parameter: The JSON body containing setting keys and values (e.g., {"settings": { ... }}).
  • Preconditions: The plugin must be active, and the attacker must have valid credentials for a Contributor account.

3. Code Flow (Inferred)

  1. Registration: During rest_api_init, the plugin calls register_rest_route in a class like Kadence_Blocks_REST_Controller.
  2. Weak Permission Check: The permission_callback for the settings route is likely set to current_user_can( 'edit_posts' ) or a similar wrapper function that validates the user can edit content but doesn't check for administrative management.
  3. Action Sink: The callback function (e.g., update_settings) receives the REST request and passes the data directly to update_option( 'kadence_blocks_settings', ... ) after minimal sanitization, bypassing the capability check intended for site-wide configuration changes.

4. Nonce Acquisition Strategy

REST API requests in WordPress require a _wpnonce passed via the X-WP-Nonce header for authenticated sessions.

  1. Identify Trigger: The Kadence Blocks plugin enqueues its REST configuration when the Gutenberg editor is loaded.
  2. Setup Page: Use WP-CLI to ensure a Contributor can access the editor.
    wp user create attacker attacker@example.com --role=contributor --user_pass=password
  3. Navigate and Extract:
    • Use browser_navigate to login and go to /wp-admin/post-new.php.
    • Use browser_eval to extract the REST nonce from the WordPress core wpApiSettings object or the Kadence-specific localized object.
    • JavaScript Variable: window.wpApiSettings.nonce or window.kadence_blocks_params.nonce.

5. Exploitation Strategy

The goal is to modify a global plugin setting that a Contributor should not be able to touch.

Step 1: Obtain the Nonce
Navigate to the post editor as a Contributor and run:
const restNonce = window.wpApiSettings.nonce;

Step 2: Send the Malicious REST Request
Use the http_request tool to send a POST request to update global settings. We will attempt to modify the is_live_preview or ai_api_key (if available) or simply toggle a global feature.

  • URL: http://localhost:8080/wp-json/kadence-blocks/v1/settings
  • Method: POST
  • Headers:
    • Content-Type: application/json
    • X-WP-Nonce: [EXTRACTED_NONCE]
  • Payload:
    {
  "settings": {
    "show_pro": true,
    "is_live_preview": false,
    "some_restricted_flag": "malicious_value"
  }
}

6. Test Data Setup

  1. Install Plugin: Ensure Kadence Blocks v3.5.32 is installed.
  2. Create User:
    wp user create tester tester@example.com --role=contributor --user_pass=tester123
  3. Capture Initial State:
    wp option get kadence_blocks_settings

7. Expected Results

  • Vulnerable Version: The server returns 200 OK or 201 Created. The response body contains the updated settings object.
  • Patched Version: The server returns 403 Forbidden with a message like "Sorry, you are not allowed to do that." because the permission_callback now requires manage_options.

8. Verification Steps

After the HTTP request, verify the change in the database using WP-CLI:

# Check if the global option was actually updated
wp option get kadence_blocks_settings

If the output reflects the values sent in the http_request payload, the unauthorized access is confirmed.

9. Alternative Approaches

If the /settings endpoint is not the target, analyze other Kadence REST namespaces:

  1. Query Loop/Post Grid: kadence-blocks/v1/post-grid-query - Check if a Contributor can query private posts or sensitive metadata by manipulating query arguments.
  2. AI Templates: kadence-blocks/v1/ai-get-templates - Check if a Contributor can trigger remote API calls or update AI library credentials.
  3. Search Pattern: Run this in the plugin directory to find potential weak permission callbacks:
    grep -rn "permission_callback" . -A 5 | grep "edit_posts"
    Any result that points to a "save" or "update" action is a high-probability target.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Kadence Blocks plugin for WordPress (v3.5.32 and earlier) fails to verify administrative capabilities on its settings REST API endpoint. This allows authenticated users with Contributor-level access or higher to modify global plugin configurations and site-wide block defaults, which should be restricted to administrators.

Security Fix

--- a/includes/rest/class-kadence-blocks-rest-controller.php
+++ b/includes/rest/class-kadence-blocks-rest-controller.php
@@ -24,7 +24,7 @@
             'methods'             => 'POST',
             'callback'            => array( $this, 'update_settings' ),
             'permission_callback' => function () {
-                return current_user_can( 'edit_posts' );
+                return current_user_can( 'manage_options' );
             },
         ) );

Exploit Outline

To exploit this vulnerability, an attacker requires Contributor-level credentials. First, the attacker logs into the WordPress dashboard and navigates to the post editor to extract a valid REST API nonce from the 'wpApiSettings' or 'kadence_blocks_params' JavaScript objects. Using this nonce, the attacker sends an authenticated POST request to the '/wp-json/kadence-blocks/v1/settings' endpoint with a JSON payload containing the desired modifications to the plugin's global settings. Because the server-side permission check only validates the 'edit_posts' capability, the site-wide settings are updated despite the user lacking administrative privileges.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/05dd1686-76e3-498b-80b8-c4befc545fc8?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database