Description
The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.3 via the `save_ai_generated_image()` function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-06-04
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin, when run on WordPress, contains a server‑side request forgery vulnerability triggered by the save_ai_generated_image() function. An authenticated attacker with Author user role or higher can cause the server to issue arbitrary HTTP requests to any target reachable from the web application, potentially leaking or altering internal data. The weakness is classified as CWE‑918, indicating that the flaw arises from insufficient validation of user‑controlled request parameters that construct outgoing requests.

Affected Systems

All installations of the Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin up to and including version 6.1.3 are affected. This includes site deployments with WordPress running any of those plugin releases, where the attacker must first authenticate as an Author or higher.

Risk and Exploitability

The CVSS score is 7.2, denoting a high severity impact. EPSS is not available, so no current exploitation probability can be measured. The vulnerability is not recorded in the CISA KEV catalog. Attackers must be authenticated, meaning they need to compromise or elevate to at least Author level. Once privileged, they can bind requests to internal services, modifying or reading sensitive data. Given the high severity and the necessity of authentication, administrators should treat this as a critical issue when the plugin is deployed.

Generated by OpenCVE AI on June 5, 2026 at 00:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gutenberg Essential Blocks to a version newer than 6.1.3 as soon as the vendor releases a fix.
  • If an upgrade cannot be performed immediately, disable or remove the AI image generation feature that calls save_ai_generated_image() to prevent the SSRF path from being exercised.
  • Audit internal network traffic originating from the WordPress application for any unexpected outbound connections to assess whether legitimate or malicious requests were sent in the interim.

Generated by OpenCVE AI on June 5, 2026 at 00:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam gutenberg Essential Blocks – Page Builder For Gutenberg Blocks & Patterns
Vendors & Products Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam gutenberg Essential Blocks – Page Builder For Gutenberg Blocks & Patterns

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.3 via the `save_ai_generated_image()` function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 6.1.3 - Authenticated (Author+) Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpdevteam Gutenberg Essential Blocks – Page Builder For Gutenberg Blocks & Patterns
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-05T01:59:19.825Z

Reserved: 2026-06-01T19:26:38.526Z

Link: CVE-2026-10586

cve-icon Vulnrichment

Updated: 2026-06-05T01:59:16.428Z

cve-icon NVD

Status : Received

Published: 2026-06-05T00:16:57.747

Modified: 2026-06-05T00:16:57.747

Link: CVE-2026-10586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:15Z

Weaknesses