Vulnerabilities and security researches forkadence-blocks kadence-blocks

Direction: ascending

Jun 07, 2024

Gutenberg Blocks by Kadence Blocks – Page Builder Features # 7f8da6aa3ebf8eda56368739e88291da673770c1

CVE, Research URL: 7f8da6aa3ebf8eda56368739e88291da673770c1
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Aug 09, 2023
Research Description: Gutenberg Blocks with AI by Kadence WP – Page Builder Features [kadence-blocks] < 3.1.11 Kadence Blocks <= 3.1.10 - Unauthenticated Arbitrary File Upload The Kadence Blocks for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_fields function in versions up to, and including, 3.1.10. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 3.1.11.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-1999

CVE, Research URL: CVE-2024-1999
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Apr 10, 2024
Research Description: The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Widget's anchor style parameter in all versions up to, and including, 3.2.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.26.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-1541

CVE, Research URL: CVE-2024-1541
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Mar 13, 2024
Research Description: The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the htmlTag attribute in all versions up to, and including, 3.2.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.24.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-2919

CVE, Research URL: CVE-2024-2919
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Apr 04, 2024
Research Description: The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CountUp Widget in all versions up to, and including, 3.2.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.32.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2023-6964

CVE, Research URL: CVE-2023-6964
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Apr 10, 2024
Research Description: The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.26 via the 'kadence_import_get_new_connection_data' AJAX action. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Affected versions: max 3.2.12.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-2273

CVE, Research URL: CVE-2024-2273
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: May 02, 2024
Research Description: The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 3.2.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.35.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-4481

CVE, Research URL: CVE-2024-4481
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: May 14, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the plugin's blocks in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.37.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-23500

CVE, Research URL: CVE-2024-23500
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Mar 28, 2024
Research Description: Server-Side Request Forgery (SSRF) vulnerability in Kadence WP Gutenberg Blocks by Kadence Blocks.This issue affects Gutenberg Blocks by Kadence Blocks: from n/a through 3.2.19.
Affected versions: max 3.2.20.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-2866

CVE, Research URL: -
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Apr 10, 2024
Research Description: Rejected reason: ** REJECT ** Accidental reservation. Please use CVE-2024-2509.
Affected versions: max 3.2.26.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-0598

CVE, Research URL: CVE-2024-0598
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Apr 10, 2024
Research Description: The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form message settings in all versions up to and including 3.2.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 3.2.18.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-3189

CVE, Research URL: CVE-2024-3189
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: May 15, 2024
Research Description: The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Testimonial', 'Progress Bar', 'Lottie Animations', 'Row Layout', 'Google Maps', and 'Advanced Gallery' blocks in all versions up to, and including, 3.2.37 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.38.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-4209

CVE, Research URL: CVE-2024-4209
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: May 14, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown timer in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.37.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-24888

CVE, Research URL: CVE-2024-24888
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Apr 03, 2024
Research Description: Server-Side Request Forgery (SSRF) vulnerability in Kadence WP Gutenberg Blocks by Kadence Blocks.This issue affects Gutenberg Blocks by Kadence Blocks: from n/a through 3.2.25.
Affected versions: max 3.2.26.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-4208

CVE, Research URL: CVE-2024-4208
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: May 15, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the typer effect in the advanced heading widget in all versions up to, and including, 3.2.37 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.38.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-4057

CVE, Research URL: CVE-2024-4057
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Jun 04, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.37 does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Affected versions: max 3.2.37.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-2509

CVE, Research URL: CVE-2024-2509
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Apr 05, 2024
Research Description: The Gutenberg Blocks by Kadence Blocks WordPress plugin before 3.2.26 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Affected versions: max 3.2.26.
Status: vulnerable

Jun 17, 2024

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-4863

CVE, Research URL: CVE-2024-4863
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Jun 14, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘titleFont’ parameter in all versions up to, and including, 3.2.38 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.39.
Status: vulnerable

Jun 28, 2024

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-5289

CVE, Research URL: CVE-2024-5289
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Jun 27, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget parameters in all versions up to, and including, 3.2.42 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.43.
Status: vulnerable

Jul 01, 2024

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-5819

CVE, Research URL: CVE-2024-5819
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Jun 29, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 3.2.45 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.2.46.
Status: vulnerable

Aug 10, 2024

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-6884

CVE, Research URL: CVE-2024-6884
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Aug 08, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.39 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Affected versions: max 3.2.39.
Status: vulnerable

Nov 02, 2024

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-9655

CVE, Research URL: CVE-2024-9655
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Nov 01, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Icon widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.3.2.
Status: vulnerable

Nov 21, 2024

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-10785

CVE, Research URL: CVE-2024-10785
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Nov 21, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Countdown' widget in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.3.4.
Status: vulnerable

Dec 12, 2024

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-10637

CVE, Research URL: CVE-2024-10637
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Dec 12, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.54 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Affected versions: max 3.2.54.
Status: vulnerable

Dec 15, 2024

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-12581

CVE, Research URL: CVE-2024-12581
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Dec 13, 2024
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 3.2.54.
Status: vulnerable

Jan 11, 2025

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2024-12304

CVE, Research URL: CVE-2024-12304
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Jan 11, 2025
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via button block link in all versions up to, and including, 3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.4.3.
Status: vulnerable

Jan 26, 2025

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2025-24753

CVE, Research URL: CVE-2025-24753
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Jan 24, 2025
Research Description: Missing Authorization vulnerability in Kadence WP Gutenberg Blocks by Kadence Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutenberg Blocks by Kadence Blocks: from n/a through 3.3.1.
Affected versions: max 3.3.2.
Status: vulnerable

Mar 05, 2025

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2025-1291

CVE, Research URL: CVE-2025-1291
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Mar 01, 2025
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icon’ parameter in all versions up to, and including, 3.4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.4.10.
Status: vulnerable

Jul 12, 2025

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2025-5678

CVE, Research URL: CVE-2025-5678
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Jul 09, 2025
Research Description: The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘redirectURL’ parameter in all versions up to, and including, 3.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.5.11.
Status: vulnerable

Apr 13, 2026

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2026-2826

CVE, Research URL: CVE-2026-2826
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Apr 04, 2026
Research Description: The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user has the `upload_files` capability in the `process_pattern` REST API endpoint. This makes it possible for authenticated attackers, with contributor level access and above, to upload images to the WordPress Media Library by supplying remote image URLs that the server downloads and creates as media attachments.
Affected versions: max 3.6.4.
Status: vulnerable

Apr 14, 2026

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2026-2633

CVE, Research URL: CVE-2026-2633
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Feb 18, 2026
Research Description: The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the `process_image_data_ajax_callback()` function which handles the `kadence_import_process_image_data` AJAX action. The function's authorization check via `verify_ajax_call()` only validates `edit_posts` capability but fails to check for the `upload_files` capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary images from remote URLs to the WordPress Media Library, bypassing the standard WordPress capability restriction that prevents Contributors from uploading files.
Affected versions: max 3.6.2.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2026-1857

CVE, Research URL: CVE-2026-1857
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Feb 18, 2026
Research Description: The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts, campaigns, and mailing lists using the site's stored API credentials. The stored API key is also leaked in the request headers.
Affected versions: max 3.6.2.
Status: vulnerable

Gutenberg Blocks by Kadence Blocks – Page Builder Features # CVE-2026-2608

CVE, Research URL: CVE-2026-2608
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Date: Feb 17, 2026
Research Description: The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.
Affected versions: max 3.6.0.
Status: vulnerable