Description
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts, campaigns, and mailing lists using the site's stored API credentials. The stored API key is also leaked in the request headers.
Published: 2026-02-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

The Gutenberg Blocks with AI by Kadence WP plugin contains an insufficient validation of the endpoint parameter in the GetResponse REST API handler. Contributors and other authenticated users with the edit_posts capability can cause the server to request arbitrary URLs on the configured GetResponse API host, leaking the stored API key in request headers and exposing sensitive data such as contacts, campaigns, and mailing lists. The vulnerability does not provide arbitrary code execution but allows an attacker to obtain confidential information and a credential that may be usable in external services.

Affected Systems

Kadence Blocks – Page Builder Toolkit for Gutenberg Editor, in the Gutenberg Blocks with AI plugin for WordPress, all versions up to and including 3.6.1 are affected. No newer version is known to contain a fix in the supplied data.

Risk and Exploitability

The CVSS score of 4.3 classifies the issue as moderate severity, and the EPSS score of less than 1% indicates a low likelihood of active exploitation at present. It is not listed in CISA’s KEV catalog. Exploitation requires authenticated access at the Contributor level or higher and a WordPress instance with the vulnerable plugin installed. Attackers can target the GetResponse API, retrieve data, and leak credentials, but the risk of widespread compromise is limited to the scope of the site’s data and any linked external services. No additional privileges or system-wide compromise are achievable through this flaw.

Generated by OpenCVE AI on April 15, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kadence Blocks plugin to the latest version that addresses the endpoint validation flaw.
  • Reconfigure the plugin or WordPress capabilities so that only administrators or dedicated privileged roles can use the GetResponse integration, removing the edit_posts requirement.
  • Implement outbound request restrictions or firewall rules to limit the server to allowed domains, preventing the plugin from making arbitrary calls to external hosts.

Generated by OpenCVE AI on April 15, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Stellarwp
Stellarwp kadence Blocks — Page Builder Toolkit For Gutenberg Editor
Wordpress
Wordpress wordpress
Vendors & Products Stellarwp
Stellarwp kadence Blocks — Page Builder Toolkit For Gutenberg Editor
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts, campaigns, and mailing lists using the site's stored API credentials. The stored API key is also leaked in the request headers.
Title Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'endpoint' Parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Stellarwp Kadence Blocks — Page Builder Toolkit For Gutenberg Editor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:27.779Z

Reserved: 2026-02-03T19:00:13.022Z

Link: CVE-2026-1857

cve-icon Vulnrichment

Updated: 2026-02-18T20:26:35.577Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T07:16:09.907

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses