cleantalk
Vulnerabilities and Security Researches

Custom Blocks Constructor – Lazy Blocks, CVE-2026-1560

CVE, Research URL

CVE-2026-1560

Home page URL

Security reports for Custom Blocks Constructor – Lazy Blocks

Application

Custom Blocks Constructor – Lazy Blocks

Published on
Feb 11, 2026
Research Description
The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Affected versions
max 4.2.1.
Status
vulnerable
Previous vulnerability researches
Custom Blocks Constructor – Lazy Blocks (CVE-2026-1560) , Apr 15, 2026
Custom Blocks Constructor – Lazy Blocks (CVE-2024-12878) , Feb 15, 2025
New vulnerability
Beaver Builder – WordPress Page Builder (CVE-2026-1231) , Apr 15, 2026
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-6461) , Apr 15, 2026
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF (CVE-2026-1246) , Apr 15, 2026
NextScripts: Social Networks Auto-Poster (CVE-2026-3228) , Apr 15, 2026
Code Snippets (CVE-2026-1785) , Apr 15, 2026