Kadence Blocks – Gutenberg Blocks for Page Builder Features Plugin Vulnerability (CVE-2026-12904)

On this page

Security Alert Summary

A vulnerability (CVE-2026-12904) in the Kadence Blocks – Gutenberg Blocks for Page Builder Features plugin for WordPress allows authenticated users with Contributor-level access or higher to read or delete optimizer analysis records belonging to other posts. The issue is an Insecure Direct Object Reference caused by a mismatch between the object used for authorization and the object used to access stored records.

CVE Details

  • CVE ID: CVE-2026-12904
  • Affected component: Kadence Blocks – Gutenberg Blocks for Page Builder Features plugin for WordPress
  • Affected versions: Versions up to and including 3.7.7
  • Published: July 1, 2026 at 5:16:17 AM UTC
  • Last modified: July 1, 2026 at 1:56:17 PM UTC
  • CVSS v3.1: Base score 4.3, severity MEDIUM, vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Authentication / privileges / user interaction: Requires authentication with low privileges (PR:L). The vulnerability can be exploited without user interaction (UI:N). The description identifies Contributor-level access and above as sufficient.
  • Primary impact: Confidentiality: NONE; Integrity: LOW; Availability: NONE
  • CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)

Technical Details

The plugin’s Optimize_Rest_Controller exposes endpoints that create, retrieve, and delete optimizer analysis records. Authorization is performed using capability checks against a user-supplied $post_id via calls like current_user_can('edit_post', $post_id) or current_user_can('delete_post', $post_id). However, the storage layer keys analysis records using sha256($post_path), where $post_path is supplied separately by the caller.

Because there is no enforcement that the supplied post_path corresponds to the supplied post_id, an authenticated attacker who passes a post_id they are authorized to edit while supplying a victim’s post_path can bypass intended access controls. The affected endpoints named in the report include create_item(), get_item(), delete_item(), and bulk_delete_items() in Optimize_Rest_Controller. The practical effect is that such an attacker can read or delete optimizer analysis records belonging to posts owned by other users.

How This Could Impact Your Website

Consider a small site with a site owner, an internal editor, and an external contractor working as a Contributor. The contractor could use this issue to access or remove optimizer analysis records tied to other authors’ posts by supplying a post_id they are allowed to edit together with a victim post_path. Consequences include loss of optimization data for posts, and exposure of metadata related to post paths or editing activity that could aid targeted social engineering. The CVSS metrics indicate no direct confidentiality impact to core post content, but integrity of optimizer records is affected.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially Contributor-level accounts.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and plugin logs for unusual behavior related to optimizer operations.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References