Description
The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files).
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary shortcode execution via authenticated user
Action: Apply Patch
AI Analysis

Impact

WP Blockade for WordPress contains a missing authorization flaw that allows any authenticated user to supply a shortcode through the 'shortcode' GET parameter. The plugin does not perform capability checks or nonce validation before passing the value to WordPress’s do_shortcode function, enabling arbitrary shortcode execution. Depending on which shortcodes are registered by other plugins on the site, an attacker could extract sensitive data, modify site content, or even elevate privileges.

Affected Systems

All releases of the WP Blockade – Visual Page Builder plugin by Burlingtonbytes up to and including version 0.9.14 are affected. WordPress sites hosting any of these versions are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the absence of an EPSS rating means the current likelihood of exploitation is unknown. The flaw is not listed in the CISA KEV catalog. An attacker must already be authenticated with a Subscriber role or higher; once logged in, they can trigger the exploit by requesting wp‑admin/admin‑post.php?action=wp‑blockade‑shortcode‑render with a crafted shortcode value. Because many sites install plugins that expose sensitive data through shortcodes, the potential impact ranges from information disclosure to privilege escalation.

Generated by OpenCVE AI on April 8, 2026 at 08:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Blockade to a version newer than 0.9.14, ensuring that the shortcode preview handler performs proper capability checks and nonce validation.
  • If an update is not immediately available, temporarily disable or remove the WP Blockade plugin to eliminate the exploit path.
  • Verify that the wp‑blockade‑shortcode‑render admin‑post action is no longer registered by inspecting the site's admin‑post hooks or by testing the endpoint.

Generated by OpenCVE AI on April 8, 2026 at 08:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Burlingtonbytes
Burlingtonbytes wp Blockade – Visual Page Builder
Wordpress
Wordpress wordpress
Vendors & Products Burlingtonbytes
Burlingtonbytes wp Blockade – Visual Page Builder
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files).
Title WP Blockade <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Burlingtonbytes Wp Blockade – Visual Page Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:07.477Z

Reserved: 2026-03-03T14:43:17.464Z

Link: CVE-2026-3480

cve-icon Vulnrichment

Updated: 2026-04-08T14:20:09.623Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T07:16:21.243

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-3480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:46Z

Weaknesses