[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fx27I0RB8sT09n1ojEQ9L4DezM4qEC532Zv1w1FsUFq8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-11357","kadence-blocks-authenticated-contributor-sensitive-information-exposure-via-block-editor-prodata-localization","Kadence Blocks \u003C= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization","The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editor_assets_variables. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's connected Kadence account license key, license owner email, api_key, api_email, and license domain from the browser console by inspecting window.kadence_blocks_params.proData. Exploitation requires only that an administrator has previously connected a valid Kadence license; the full credential bundle is then readable by any Contributor-level user from the block editor client context without any server-side request manipulation.","kadence-blocks",null,"\u003C=3.7.5","3.7.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-17 16:14:34","2026-06-18 04:31:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffa62c795-57b8-48e5-a49f-2e1f3c792c87?source=api-prod",1,[22,23,24,25,26,27,28,29],"dist\u002Fadmin-kadence-home.asset.php","dist\u002Fadmin-kadence-home.js","dist\u002Fblocks-advancedheading.asset.php","dist\u002Fblocks-advancedheading.js","dist\u002Fblocks-rowlayout.asset.php","dist\u002Fblocks-rowlayout.js","includes\u002Fblocks\u002Fclass-kadence-blocks-posts-block.php","includes\u002Fclass-kadence-blocks-editor-assets.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-11357 - Kadence Blocks Sensitive Information Exposure\n\n## 1. Vulnerability Summary\nThe **Kadence Blocks** plugin (\u003C= 3.7.5) is vulnerable to **Sensitive Information Exposure**. The plugin's editor asset initialization logic enqueues site-wide license credentials and API keys into the global JavaScript context of the WordPress block editor (Gutenberg). Because any user with **Contributor** permissions or higher can access the post editor, they can retrieve the administrator's Kadence license key, API keys, and associated emails directly from the browser's global scope without requiring administrative privileges.\n\nThe vulnerability exists in `KadenceWP\\KadenceBlocks\\Editor_Assets::editor_assets_variables`, which is hooked to `enqueue_block_editor_assets`.\n\n## 2. Attack Vector Analysis\n- **Authentication Level:** Authenticated (Contributor+).\n- **Target Endpoint:** Any Gutenberg-enabled editor page, such as `\u002Fwp-admin\u002Fpost-new.php` or `\u002Fwp-admin\u002Fpost.php?post=[ID]&action=edit`.\n- **Vulnerable Mechanism:** The `wp_localize_script` function is used to pass server-side data to the client-side `kadence-blocks-js` script.\n- **Exposure Point:** The global JavaScript object `window.kadence_blocks_params.proData`.\n\n## 3. Code Flow\n1.  **Initialization:** The `Editor_Assets` class (in `includes\u002Fclass-kadence-blocks-editor-assets.php`) registers its hooks in the constructor:\n    ```php\n    add_action( 'enqueue_block_editor_assets', [ $this, 'editor_assets_variables' ] );\n    ```\n2.  **Asset Enqueueing:** When a user (Contributor or above) loads the post editor, WordPress triggers the `enqueue_block_editor_assets` hook.\n3.  **Data Collection:** `Editor_Assets::editor_assets_variables()` is executed. It retrieves sensitive license data using helper functions like `kadence_blocks_get_current_license_data()` and `KadenceWP\\KadenceBlocks\\StellarWP\\Uplink\\get_license_domain()`.\n4.  **Localization:** The collected data is packed into an array (specifically under the `proData` key) and passed to the browser via:\n    ```php\n    wp_localize_script( 'kadence-blocks-js', 'kadence_blocks_params', $variables );\n    ```\n5.  **Exposure:** The browser receives the sensitive data in a `\u003Cscript>` tag, populating `window.kadence_blocks_params`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a WordPress nonce** for exploitation. The sensitive information is automatically localized and made available in the global JS scope upon successfully loading the WordPress editor page. The only requirement is a valid session cookie for a user with the `edit_posts` capability.\n\n## 5. Exploitation Strategy\nThe goal is to log in as a Contributor and read the `proData` object from the editor context.\n\n### Step 1: Authentication\nUse the `http_request` tool to log in as a Contributor user and obtain a valid session cookie.\n\n### Step 2: Navigate to Editor\nNavigate to the \"New Post\" page to trigger the Gutenberg editor.\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fpost-new.php`\n\n### Step 3: Extract Data\nOnce the page is loaded, use `browser_eval` to extract the sensitive credentials.\n\n**Payload:**\n```javascript\nJSON.stringify(window.kadence_blocks_params?.proData || \"Data not found\")\n```\n\n### Step 4: Capture Response\nThe extracted object should contain keys such as:\n- `api_key`\n- `api_email`\n- `license_key`\n- `license_email`\n- `license_domain`\n\n## 6. Test Data Setup\nTo demonstrate the exposure, the environment must have \"mocked\" license data stored in the database.\n\n1.  **Install Plugin:** Ensure Kadence Blocks version 3.7.5 is active.\n2.  **Create Contributor User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n3.  **Mock License Data:** Kadence typically stores license data in the `options` table. Use `wp eval` to inject dummy data:\n    ```bash\n    wp eval 'update_option(\"kadence_blocks_license_data\", [ \"api_key\" => \"EXPLOIT-KEY-12345\", \"api_email\" => \"admin@target.com\", \"license_key\" => \"LICENSE-67890\", \"license_email\" => \"admin@target.com\", \"license_domain\" => \"target.com\" ]);'\n    # Also mock legacy or pro data if needed based on version specifics\n    wp eval 'update_option(\"kt_api_manager_kadence_gutenberg_pro_data\", [ \"api_key\" => \"PRO-API-KEY-999\", \"api_email\" => \"pro@target.com\" ]);'\n    ```\n\n## 7. Expected Results\nA successful exploit will return a JSON object containing the mocked license details:\n```json\n{\n  \"api_key\": \"EXPLOIT-KEY-12345\",\n  \"api_email\": \"admin@target.com\",\n  \"license_key\": \"LICENSE-67890\",\n  \"license_email\": \"admin@target.com\",\n  \"license_domain\": \"target.com\"\n}\n```\n\n## 8. Verification Steps\n1.  **Compare Output:** Verify that the keys and values extracted via `browser_eval` match the values injected into the database via `wp eval` in the setup phase.\n2.  **Check Capability:** Attempt the same `browser_eval` as an unauthenticated user (should fail with a redirect to `wp-login.php`) to confirm the `Authenticated (Contributor+)` requirement.\n\n## 9. Alternative Approaches\nIf `window.kadence_blocks_params` is not directly accessible, inspect the page source via `http_request` and search for the localized script string:\n```bash\n# Look for the localization pattern in the HTML response\ngrep -o \"var kadence_blocks_params = [^;]*;\" \n```\nThis serves as a backup if the Gutenberg editor fails to initialize fully in the headless browser but the script tags are still rendered.","gemini-3-flash-preview","2026-06-25 21:59:12","2026-06-25 22:00:16",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.7.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkadence-blocks\u002Ftags\u002F3.7.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkadence-blocks.3.7.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkadence-blocks\u002Ftags\u002F3.7.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkadence-blocks.3.7.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkadence-blocks\u002Ftags"]