cleantalk
Vulnerabilities and Security Researches

Custom Blocks Constructor – Lazy Blocks, CVE-2026-1560

CVE, Research URL

CVE-2026-1560

Home page URL

Security reports for Custom Blocks Constructor – Lazy Blocks

Application

Custom Blocks Constructor – Lazy Blocks

Published on
Feb 11, 2026
Research Description
The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Affected versions
max 4.2.1.
Status
vulnerable
Previous vulnerability researches
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2025-13750) , Jan 28, 2026
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2019-15834) , Jun 06, 2024
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2021-25074) , Jun 10, 2024
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2026-1356) , Apr 14, 2026
New vulnerability
Events Listing Widget (CVE-2026-1252) , Apr 15, 2026
WholeSale Products Dynamic Pricing Management WooCommerce (CVE-2026-4479) , Apr 15, 2026
OS DataHub Maps (CVE-2026-1730) , Apr 15, 2026
Category Image (CVE-2026-0815) , Apr 15, 2026
Zarinpal Gateway (CVE-2026-2592) , Apr 15, 2026