[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzLn0hFwdM0Cm8WnuqH0sf0c3xWYK_uYHPRDV3l9WQhk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-0950","spectra-gutenberg-blocks-unauthenticated-information-disclosure-in-sensitive-data","Spectra Gutenberg Blocks \u003C= 2.19.17 - Unauthenticated Information Disclosure in Sensitive Data","The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block.","ultimate-addons-for-gutenberg",null,"\u003C=2.19.17","2.19.18","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-02-02 16:58:28","2026-02-03 05:30:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fccaccf03-4162-4365-9f12-0363a78e91d4?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-0950\n\n## 1. Vulnerability Summary\nThe **Spectra Gutenberg Blocks** plugin (up to version 2.19.17) contains an unauthenticated information disclosure vulnerability. The plugin provides several \"Post\" blocks (Grid, Masonry, Carousel, Timeline) that display lists of WordPress posts. When rendering these blocks, the plugin manually retrieves and displays post excerpts via the functions `render_excerpt()` and `uagb_get_excerpt()`. \n\nThe vulnerability exists because these functions do not call the native WordPress function `post_password_required()`. Consequently, even if a post is password-protected, its excerpt is rendered and served to unauthenticated visitors on any page where a Spectra Post block is configured to show excerpts.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any frontend Page or Post containing one of the following Spectra blocks:\n    *   Post Grid (`uagb\u002Fpost-grid`)\n    *   Post Masonry (`uagb\u002Fpost-masonry`)\n    *   Post Carousel (`uagb\u002Fpost-carousel`)\n    *   Post Timeline (`uagb\u002Fpost-timeline`)\n*   **HTTP Method:** `GET`\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** \n    1.  A post exists that is **Password Protected**.\n    2.  This post has an excerpt (either a \"Manual Excerpt\" defined in the editor or an automatically generated one).\n    3.  A Spectra Post block is placed on a publicly accessible page and configured to display the password-protected post.\n    4.  The block's \"Show Excerpt\" setting is enabled (default behavior for many templates).\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user requests a page containing a Spectra block (e.g., Post Grid).\n2.  **Block Rendering:** WordPress executes the block's `render_callback`. For Spectra, this often points to a class method like `UAGB_Post::render_html` (inferred) or similar logic in `classes\u002Fclass-uagb-post.php`.\n3.  **Post Loop:** The plugin queries posts based on block attributes and iterates through them.\n4.  **Vulnerable Sink:** Inside the loop, the plugin calls `uagb_get_excerpt()` or `render_excerpt()`.\n    *   These functions typically use `$post->post_excerpt` or `get_the_excerpt($post->ID)`.\n    *   In a secure implementation, the code should check `if ( post_password_required( $post_id ) ) { return ''; }`.\n    *   Because this check is missing, the excerpt content is appended to the block's HTML output.\n5.  **Response:** The excerpt is sent to the browser in the final HTML.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required for this exploit.** \nThe vulnerability is triggered during standard frontend page rendering (Server-Side Rendering of Gutenberg blocks). Since the goal is to view a publicly accessible page to leak \"protected\" information, no authenticated actions or AJAX\u002FREST requests are necessary.\n\n## 5. Exploitation Strategy\n### Step 1: Create Protected Content\nCreate a post that is password protected and contains a sensitive excerpt.\n\n### Step 2: Create a Landing Page\nCreate a public page containing a Spectra Post Grid block configured to display the protected post.\n\n### Step 3: Trigger the Leak\nPerform a simple GET request to the Landing Page and grep for the secret excerpt content.\n\n**Payload:**\n```http\nGET \u002Flanding-page\u002F HTTP\u002F1.1\nHost: localhost\n```\n\n**Expected Response:**\nThe HTML will contain a `div` or `p` tag with a class like `uagb-post__excerpt` containing the \"hidden\" excerpt text.\n\n## 6. Test Data Setup\n1.  **Create Protected Post:**\n    ```bash\n    wp post create --post_type=post --post_title=\"Sensitive Post\" --post_content=\"This is the full secret content.\" --post_excerpt=\"CONFIDENTIAL_LEAK_DATA\" --post_status=publish --post_password=\"Password123\"\n    ```\n2.  **Create Landing Page with Spectra Block:**\n    The Post Grid block needs to be inserted. Since manual block JSON is complex, we will use a simple query:\n    ```bash\n    # Note: Attributes must include displayPostExcerpt: true\n    wp post create --post_type=page --post_title=\"Spectra Page\" --post_status=publish --post_content='\u003C!-- wp:uagb\u002Fpost-grid {\"displayPostExcerpt\":true,\"postsToShow\":1} \u002F-->'\n    ```\n3.  **Ensure Plugin is Active:**\n    ```bash\n    wp plugin activate ultimate-addons-for-gutenberg\n    ```\n\n## 7. Expected Results\n*   **Success:** The unauthenticated GET request to `\u002Fspectra-page\u002F` returns HTML containing the string `CONFIDENTIAL_LEAK_DATA`.\n*   **Normal WordPress Behavior:** If a post is password-protected, `the_excerpt()` should return a string like \"There is no excerpt because this is a protected post.\" or be empty. Spectra's failure to check `post_password_required()` bypasses this protection.\n\n## 8. Verification Steps\n1.  Navigate to the page using the `http_request` tool:\n    ```json\n    {\n      \"method\": \"GET\",\n      \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fspectra-page\u002F\"\n    }\n    ```\n2.  Check for the presence of the excerpt in the response body.\n3.  Verify the post is actually password protected:\n    ```bash\n    wp post get $(wp post list --post_type=post --title=\"Sensitive Post\" --field=ID) --field=post_password\n    ```\n\n## 9. Alternative Approaches\nIf the `\u003C!-- wp:uagb\u002Fpost-grid ... -->` block does not render correctly via CLI creation:\n1.  Use `browser_navigate` to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002F`.\n2.  Log in and manually create a page using the Gutenberg editor.\n3.  Add the \"Post Grid\" block from the Spectra category.\n4.  Ensure \"Show Excerpt\" is toggled ON in the right-hand settings sidebar.\n5.  Publish and then visit the page unauthenticated.\n\nIf the excerpt is automatically generated (not manual), check if the first ~20 words of the `post_content` (\"This is the full secret content\") appear in the output. The vulnerability applies to both manual and auto-excerpts.","gemini-3-flash-preview","2026-04-27 17:17:21","2026-04-27 17:19:23",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","2.19.17","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-addons-for-gutenberg\u002Ftags\u002F2.19.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fultimate-addons-for-gutenberg.2.19.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-addons-for-gutenberg\u002Ftags\u002F2.19.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fultimate-addons-for-gutenberg.2.19.18.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-addons-for-gutenberg\u002Ftags"]