The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is affected by a missing capability check inside a specific function. Authenticated attackers who hold a Contributor role or higher can perform an action that the system should restrict, effectively bypassing intended permission controls. This flaw allows attackers to elevate privileges or execute unintended operations, compromising the integrity of the site’s content and potentially exposing sensitive data.

WordPress sites using the Kadence Blocks plugin version 3.5.32 or older. The vulnerability applies to all releases up to and including 3.5.32; newer releases beyond 3.5.32 are not affected. The plugin is distributed by StellarWP under the name Kadence Blocks, a toolkit for building Gutenberg blocks.

The CVSS base score of 4.3 places the flaw in the moderate range, indicating that the attack requires valid credentials and no complex exploitation steps. The EPSS score of less than 1% suggests that exploitation in the wild is unlikely, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a direct use of the WordPress administrative interface by a user with contributor‑level access or higher; no remote network exploitation is indicated. Because the flaw is purely an authorization omission, an attacker who can authenticate as a contributor can exploit it immediately after login. Assess the exposure of contributor accounts as a priority.