CVE-2026-11357

Kadence Blocks <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization

mediumExposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.7.6
Patched in
1d
Time to patch

Description

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editor_assets_variables. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's connected Kadence account license key, license owner email, api_key, api_email, and license domain from the browser console by inspecting window.kadence_blocks_params.proData. Exploitation requires only that an administrator has previously connected a valid Kadence license; the full credential bundle is then readable by any Contributor-level user from the block editor client context without any server-side request manipulation.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=3.7.5
PublishedJune 17, 2026
Last updatedJune 18, 2026
Affected pluginkadence-blocks

What Changed in the Fix

Changes introduced in v3.7.6

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-11357 - Kadence Blocks Sensitive Information Exposure ## 1. Vulnerability Summary The **Kadence Blocks** plugin (<= 3.7.5) is vulnerable to **Sensitive Information Exposure**. The plugin's editor asset initialization logic enqueues site-wide license credential…

Show full research plan

Exploitation Research Plan: CVE-2026-11357 - Kadence Blocks Sensitive Information Exposure

1. Vulnerability Summary

The Kadence Blocks plugin (<= 3.7.5) is vulnerable to Sensitive Information Exposure. The plugin's editor asset initialization logic enqueues site-wide license credentials and API keys into the global JavaScript context of the WordPress block editor (Gutenberg). Because any user with Contributor permissions or higher can access the post editor, they can retrieve the administrator's Kadence license key, API keys, and associated emails directly from the browser's global scope without requiring administrative privileges.

The vulnerability exists in KadenceWP\KadenceBlocks\Editor_Assets::editor_assets_variables, which is hooked to enqueue_block_editor_assets.

2. Attack Vector Analysis

  • Authentication Level: Authenticated (Contributor+).
  • Target Endpoint: Any Gutenberg-enabled editor page, such as /wp-admin/post-new.php or /wp-admin/post.php?post=[ID]&action=edit.
  • Vulnerable Mechanism: The wp_localize_script function is used to pass server-side data to the client-side kadence-blocks-js script.
  • Exposure Point: The global JavaScript object window.kadence_blocks_params.proData.

3. Code Flow

  1. Initialization: The Editor_Assets class (in includes/class-kadence-blocks-editor-assets.php) registers its hooks in the constructor:
    add_action( 'enqueue_block_editor_assets', [ $this, 'editor_assets_variables' ] );
    
  2. Asset Enqueueing: When a user (Contributor or above) loads the post editor, WordPress triggers the enqueue_block_editor_assets hook.
  3. Data Collection: Editor_Assets::editor_assets_variables() is executed. It retrieves sensitive license data using helper functions like kadence_blocks_get_current_license_data() and KadenceWP\KadenceBlocks\StellarWP\Uplink\get_license_domain().
  4. Localization: The collected data is packed into an array (specifically under the proData key) and passed to the browser via:
    wp_localize_script( 'kadence-blocks-js', 'kadence_blocks_params', $variables );
    
  5. Exposure: The browser receives the sensitive data in a <script> tag, populating window.kadence_blocks_params.

4. Nonce Acquisition Strategy

This vulnerability does not require a WordPress nonce for exploitation. The sensitive information is automatically localized and made available in the global JS scope upon successfully loading the WordPress editor page. The only requirement is a valid session cookie for a user with the edit_posts capability.

5. Exploitation Strategy

The goal is to log in as a Contributor and read the proData object from the editor context.

Step 1: Authentication

Use the http_request tool to log in as a Contributor user and obtain a valid session cookie.

Step 2: Navigate to Editor

Navigate to the "New Post" page to trigger the Gutenberg editor.

  • URL: http://[target]/wp-admin/post-new.php

Step 3: Extract Data

Once the page is loaded, use browser_eval to extract the sensitive credentials.

Payload:

JSON.stringify(window.kadence_blocks_params?.proData || "Data not found")

Step 4: Capture Response

The extracted object should contain keys such as:

  • api_key
  • api_email
  • license_key
  • license_email
  • license_domain

6. Test Data Setup

To demonstrate the exposure, the environment must have "mocked" license data stored in the database.

  1. Install Plugin: Ensure Kadence Blocks version 3.7.5 is active.
  2. Create Contributor User:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password
    
  3. Mock License Data: Kadence typically stores license data in the options table. Use wp eval to inject dummy data:
    wp eval 'update_option("kadence_blocks_license_data", [ "api_key" => "EXPLOIT-KEY-12345", "api_email" => "admin@target.com", "license_key" => "LICENSE-67890", "license_email" => "admin@target.com", "license_domain" => "target.com" ]);'
    # Also mock legacy or pro data if needed based on version specifics
    wp eval 'update_option("kt_api_manager_kadence_gutenberg_pro_data", [ "api_key" => "PRO-API-KEY-999", "api_email" => "pro@target.com" ]);'
    

7. Expected Results

A successful exploit will return a JSON object containing the mocked license details:

{
  "api_key": "EXPLOIT-KEY-12345",
  "api_email": "admin@target.com",
  "license_key": "LICENSE-67890",
  "license_email": "admin@target.com",
  "license_domain": "target.com"
}

8. Verification Steps

  1. Compare Output: Verify that the keys and values extracted via browser_eval match the values injected into the database via wp eval in the setup phase.
  2. Check Capability: Attempt the same browser_eval as an unauthenticated user (should fail with a redirect to wp-login.php) to confirm the Authenticated (Contributor+) requirement.

9. Alternative Approaches

If window.kadence_blocks_params is not directly accessible, inspect the page source via http_request and search for the localized script string:

# Look for the localization pattern in the HTML response
grep -o "var kadence_blocks_params = [^;]*;" 

This serves as a backup if the Gutenberg editor fails to initialize fully in the headless browser but the script tags are still rendered.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.