cleantalk
Vulnerabilities and Security Researches

Custom Blocks Constructor – Lazy Blocks, CVE-2026-1560

CVE, Research URL

CVE-2026-1560

Home page URL

Security reports for Custom Blocks Constructor – Lazy Blocks

Application

Custom Blocks Constructor – Lazy Blocks

Published on
Feb 11, 2026
Research Description
The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Affected versions
max 4.2.1.
Status
vulnerable
Previous vulnerability researches
GNA Search Shortcode (CVE-2025-46540) , Apr 26, 2025
New vulnerability
Zarinpal Gateway (CVE-2026-2592) , Apr 15, 2026
Twitter posts to Blog (CVE-2026-1786) , Apr 15, 2026
Simple Download Monitor (CVE-2026-2383) , Apr 15, 2026
Blog2Social: Social Media Auto Post & Scheduler (CVE-2026-1942) , Apr 15, 2026
WP Content Permission (CVE-2026-0743) , Apr 15, 2026