Description
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the `process_image_data_ajax_callback()` function which handles the `kadence_import_process_image_data` AJAX action. The function's authorization check via `verify_ajax_call()` only validates `edit_posts` capability but fails to check for the `upload_files` capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary images from remote URLs to the WordPress Media Library, bypassing the standard WordPress capability restriction that prevents Contributors from uploading files.
Published: 2026-02-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized media uploads by authenticated Contributor+ users
Action: Apply Patch
AI Analysis

Impact

The Kadence Blocks – Page Builder Toolkit for Gutenberg Editor plugin for WordPress contains a missing capability check in the AJAX handler that processes image data. The handler verifies only that the user has the capability to edit posts and fails to verify that the user is allowed to upload files. As a result, any authenticated user with Contributor or higher capabilities can trigger the AJAX action to import images from remote URLs into the WordPress Media Library without the standard permission checks. This flaw does not allow direct code execution but permits misuse of the media upload functionality, potentially compromising the integrity of the media repository.

Affected Systems

Kadence Blocks – Page Builder Toolkit for Gutenberg Editor, all released versions up to and including 3.6.1, which are installed on WordPress sites.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% reflects a low likelihood of exploitation. The vulnerability is not listed in the KEV catalog. Exploitation requires an authenticated account with Contributor or higher capability, so the risk is limited to sites that already have such user roles. Even though no remote code execution or privilege escalation is possible, repeated unauthorized uploads could affect media integrity and availability.

Generated by OpenCVE AI on April 15, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kadence Blocks to the latest available release (typically 3.6.2 or newer) to include the missing capability check.
  • If the image import feature is unnecessary, completely disable the 'kadence_import_process_image_data' AJAX action by removing the associated function from the plugin or by applying a custom filter to block the action.
  • Audit the plugin’s code for similar missing capability checks, particularly around functions that manipulate media files, and ensure that 'upload_files' is always required for upload-related actions.

Generated by OpenCVE AI on April 15, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Stellarwp
Stellarwp kadence Blocks — Page Builder Toolkit For Gutenberg Editor
Wordpress
Wordpress wordpress
Vendors & Products Stellarwp
Stellarwp kadence Blocks — Page Builder Toolkit For Gutenberg Editor
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the `process_image_data_ajax_callback()` function which handles the `kadence_import_process_image_data` AJAX action. The function's authorization check via `verify_ajax_call()` only validates `edit_posts` capability but fails to check for the `upload_files` capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary images from remote URLs to the WordPress Media Library, bypassing the standard WordPress capability restriction that prevents Contributors from uploading files.
Title Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Missing Authorization to Authenticated (Contributor+) Unauthorized Media Upload
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Stellarwp Kadence Blocks — Page Builder Toolkit For Gutenberg Editor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:22.271Z

Reserved: 2026-02-17T17:42:46.510Z

Link: CVE-2026-2633

cve-icon Vulnrichment

Updated: 2026-02-18T14:19:57.025Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T07:16:10.807

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses