Gutenberg Blocks by Kadence Blocks – Page Builder Features, CVE-2026-2633

CVE, Research URL: CVE-2026-2633
Home page URL: Security reports for Gutenberg Blocks by Kadence Blocks – Page Builder Features
Application: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Published on: Feb 18, 2026
Research Description: The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the `process_image_data_ajax_callback()` function which handles the `kadence_import_process_image_data` AJAX action. The function's authorization check via `verify_ajax_call()` only validates `edit_posts` capability but fails to check for the `upload_files` capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary images from remote URLs to the WordPress Media Library, bypassing the standard WordPress capability restriction that prevents Contributors from uploading files.
Affected versions: max 3.6.2.
Status: vulnerable