[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwpMRZtmJclRh4AI5OBhAobaclZ1xwo9edDYPpETdSKs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-6675","responsive-blocks-unauthenticated-open-email-relay-via-rest-api-emailto-parameter","Responsive Blocks \u003C= 2.2.0 - Unauthenticated Open Email Relay via REST API 'email_to' Parameter","The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to Unauthenticated Open Email Relay in all versions up to, and including, 2.2.0. This is due to insufficient authorization checks and missing server-side validation of the recipient email address supplied via a public REST API route. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient of their choosing through the affected WordPress site's mail server, effectively turning the site into an open mail relay.","responsive-block-editor-addons",null,"\u003C=2.2.0","2.2.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Input Validation","2026-04-20 14:13:38","2026-04-21 02:25:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F17452a29-bcef-451a-9893-a436ac5d3b80?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-6675\n\n## 1. Vulnerability Summary\nThe **Responsive Blocks** plugin (\u003C= 2.2.0) contains an unauthenticated open email relay vulnerability. The flaw exists within a public WordPress REST API endpoint that handles email functionality (likely associated with a contact form or lead generation block). The endpoint accepts a recipient address via the `email_to` parameter without verifying that the address belongs to an authorized site administrator or is hardcoded in the block configuration. Consequently, an unauthenticated attacker can use the WordPress site's server to send arbitrary emails to any destination.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** A REST API route registered under the plugin's namespace (likely `responsive-blocks\u002Fv1` or `responsive-block-editor-addons\u002Fv1`).\n- **HTTP Method:** `POST`\n- **Vulnerable Parameter:** `email_to`\n- **Authentication:** None (Unauthenticated).\n- **Preconditions:** The plugin must be active. The specific block that utilizes this REST route does not necessarily need to be published on a page if the REST API is globally accessible, though a nonce might be required if the `permission_callback` is tied to one.\n\n## 3. Code Flow\n1.  **Route Registration:** The plugin registers a REST route during the `rest_api_init` hook using `register_rest_route()`.\n2.  **Missing Authorization:** The `permission_callback` for this route likely returns `__return_true` or lacks a `current_user_can()` check.\n3.  **Input Processing:** The handler function associated with the route retrieves the `email_to` parameter from the `WP_REST_Request` object via `$request->get_param('email_to')`.\n4.  **Sink:** The unsanitized\u002Funvalidated `email_to` value is passed directly as the first argument (`$to`) to the `wp_mail()` function.\n\n## 4. Nonce Acquisition Strategy\nREST API endpoints in WordPress often require a `wp_rest` nonce passed in the `_wpnonce` parameter or the `X-WP-Nonce` header.\n\n1.  **Identify the Script Variable:** Search the codebase for `wp_localize_script` to see where the REST URL and nonce are passed to the frontend.\n    -   *Command:* `grep -rn \"wp_localize_script\" .`\n2.  **Target Block:** The email functionality is likely part of a \"Contact Form\" or \"Newsletter\" block. Identify the shortcode or block name.\n3.  **Setup for Extraction:**\n    -   Create a page containing the relevant block: `wp post create --post_type=page --post_status=publish --post_content='\u003C!-- wp:responsive-blocks\u002Fcontact-form \u002F-->'`. (The exact block name should be verified via `grep -rn \"register_block_type\" .`).\n4.  **Extract via Browser:**\n    -   Navigate to the newly created page using `browser_navigate`.\n    -   Execute `browser_eval` to find the nonce.\n    -   *Example JS:* `window.responsive_blocks_params?.nonce` or `window.rb_data?.rest_nonce` (Search for exact keys in the source).\n\n*Note: If the `permission_callback` is truly empty or `__return_true`, a nonce may not be required at all.*\n\n## 5. Exploitation Strategy\n1.  **Locate Endpoint:** Search the plugin for the specific REST route.\n    -   *Command:* `grep -r \"register_rest_route\" .`\n    -   Look for routes that reference `email_to`.\n2.  **Determine Parameters:** Identify other required parameters (e.g., `subject`, `message`, `name`).\n3.  **Craft the Request:**\n    -   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Fresponsive-blocks\u002Fv1\u002Fsend-email` (inferred route).\n    -   **Headers:** `Content-Type: application\u002Fjson`\n    -   **Body:**\n        ```json\n        {\n          \"email_to\": \"target-victim@example.com\",\n          \"subject\": \"Important Security Update\",\n          \"message\": \"This is an arbitrary message sent via your own server.\",\n          \"reply_to\": \"attacker@evil.com\"\n        }\n        ```\n4.  **Execute:** Use the `http_request` tool to send the POST request.\n\n## 6. Test Data Setup\n1.  Install and activate `responsive-block-editor-addons` version 2.2.0.\n2.  (Optional) Create a page with the contact form block to identify the exact REST parameters used by the legitimate frontend.\n    -   `wp post create --post_type=page --post_title=\"Contact\" --post_status=publish --post_content='\u003C!-- wp:responsive-blocks\u002Fcontact-form \u002F-->'`\n3.  Ensure `WP_DEBUG` is enabled to catch any `wp_mail` errors.\n\n## 7. Expected Results\n-   The server should return a `200 OK` or `201 Created` status code.\n-   The response body might contain `{\"success\": true}` or similar confirmation.\n-   The WordPress mail system will attempt to deliver an email to `target-victim@example.com`.\n\n## 8. Verification Steps\n1.  **Intercept Email:** Use `wp-cli` to check the mail log if a logging plugin (like WP Mail Logging) is installed.\n2.  **Debug Log:** Check `wp-content\u002Fdebug.log` for any output from the `wp_mail` filter or errors.\n3.  **Manual Check:** If the test environment has a catch-all mailbox (like MailHog), verify the arrival of the email with the attacker-specified subject and body.\n4.  **Code Audit Verification:**\n    -   Verify that the `permission_callback` in `includes\u002Frest-api\u002Fclass-responsive-blocks-rest-api.php` (inferred path) does not check for `manage_options` or similar capabilities.\n\n## 9. Alternative Approaches\n-   **Form-Data:** If the REST API does not accept JSON, try `Content-Type: application\u002Fx-www-form-urlencoded`.\n-   **Action Parameter:** Check if the route is actually a generic one that takes an `action` parameter to determine which function to run (e.g., `?action=submit_form`).\n-   **Default Recipients:** If `email_to` is ignored, check if other parameters like `to_email` or `recipient` are used instead. The grep for `email_to` is the primary source of truth.","The Responsive Blocks plugin for WordPress is vulnerable to an unauthenticated open email relay because it fails to validate the recipient address in its REST API. An attacker can specify any email address in the 'email_to' parameter, causing the WordPress site to send arbitrary messages to third parties using its own mail server.","1. Locate the REST API endpoint registered by the plugin, typically under the 'responsive-blocks\u002Fv1' namespace.\n2. Prepare a POST request to the endpoint (e.g., \u002Fwp-json\u002Fresponsive-blocks\u002Fv1\u002Fsend-email).\n3. Set the 'email_to' parameter in the request body to the intended victim's email address.\n4. Populate other parameters such as 'subject', 'message', and 'name' with the desired spam or phishing content.\n5. Execute the request unauthenticated; the server will process the request and call wp_mail() with the attacker-supplied recipient, effectively acting as an open mail relay.","gemini-3-flash-preview","2026-04-27 14:12:53","2026-04-27 14:14:39",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","2.2.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-block-editor-addons\u002Ftags\u002F2.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresponsive-block-editor-addons.2.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-block-editor-addons\u002Ftags\u002F2.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fresponsive-block-editor-addons.2.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fresponsive-block-editor-addons\u002Ftags"]