CVE-2026-2028 - Vulnerability Details

- Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter

Description

The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators.

Published: 2026-04-24

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The MaxiBlocks Builder plugin for WordPress has an insufficient file ownership check on the maxi_remove_custom_image_size AJAX action. This flaw allows an authenticated user with Author level or higher to delete any file in the wp-content/uploads directory, including those uploaded by other users and administrators. The deletion removes critical media assets, potentially disrupting site functionality and compromising content integrity. The weakness is categorized as CWE‑639, which is an authorized access vulnerability.

Affected Systems

All installations of the MaxiBlocks Builder plugin for WordPress up to and including version 2.1.8 are affected. The issue is present in every release through 2.1.8; any site still using those releases is susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated User with Author role or higher, so an attacker must first obtain a user account with sufficient permissions before deleting files. The attacker can target any media file without needing additional privileges, making the impact widespread for sites with many Uploads.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ckp267

MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.1.8

No data.

Vendor Product Confidence Versions

Ckp267

Maxiblocks Builder

100%

Version	Status	Scheme	Platform
`[0,2.1.8]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the MaxiBlocks Builder plugin to the latest released version where this issue is resolved.
If an upgrade is not immediately possible, remove or disable the maxi_remove_custom_image_size AJAX endpoint to block the deletion action.
Revoke Author and higher roles from the capability to delete media or configure role permissions to restrict media deletions.

Generated by OpenCVE AI on April 28, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/maxi-blocks/maxi-blocks/commit/3dff1db57bfb4e6c14fa7fd42037178d1d0ce199
https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.7/core/class-maxi-image-crop.php#L44
https://plugins.trac.wordpress.org/browser/maxi-blocks/trunk/core/class-maxi-image-crop.php#L44
https://plugins.trac.wordpress.org/changeset/3476709/maxi-blocks/trunk/core/class-maxi-image-crop.php
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3476709%40maxi-blocks&new=3476709%40maxi-blocks&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f50c31df-56d0-4c34-a93c-56198fe91b36?source=cve

History

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ckp267 Ckp267 maxiblocks Builder Wordpress Wordpress wordpress
Vendors & Products		Ckp267 Ckp267 maxiblocks Builder Wordpress Wordpress wordpress

Fri, 24 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators.
Title		Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter
Weaknesses		CWE-639
References		https://github.com/maxi-blocks/maxi-blocks/commit/3dff1db57bfb4e6c14fa7fd42037178d1d0ce199 https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.7/core/class-maxi-image-crop.php#L44 https://plugins.trac.wordpress.org/browser/maxi-blocks/trunk/core/class-maxi-image-crop.php#L44 https://plugins.trac.wordpress.org/changeset/3476709/maxi-blocks/trunk/core/class-maxi-image-crop.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3476709%40maxi-blocks&new=3476709%40maxi-blocks&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/f50c31df-56d0-4c34-a93c-56198fe91b36?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Ckp267 Maxiblocks Builder

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-24T03:27:06.728Z

Updated: 2026-04-24T13:59:29.795Z

Reserved: 2026-02-05T21:46:52.497Z

Link: CVE-2026-2028

Vulnrichment

Updated: 2026-04-24T13:59:05.993Z

NVD

Status : Deferred

Published: 2026-04-24T04:16:09.360

Modified: 2026-04-24T14:38:26.740

Link: CVE-2026-2028

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object