Security Alert Summary
The Kadence Blocks – Page Builder Toolkit for Gutenberg Editor plugin for WordPress contains an authorization bypass in its REST API that can allow authenticated users with contributor-level access or higher to upload images to the Media Library. The issue is caused by a missing capability check in a REST endpoint that performs remote image downloads and media attachment creation.
CVE Details
- CVE ID: CVE-2026-2826
- Affected plugin or component: Kadence Blocks – Page Builder Toolkit for Gutenberg Editor plugin for WordPress
- Affected versions: All versions up to, and including, 3.6.3
- Published: April 4, 2026 at 9:16:20 AM
- Last modified: April 4, 2026 at 9:16:20 AM
- CVSS v3.1: Base Score 4.3, Medium; Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - Authentication / privileges / user interaction: Requires authentication; low privileges required (contributor level and above); no user interaction required.
- Primary impact: Confidentiality: None; Integrity: Low (unauthorized content upload); Availability: None
- CWE / weakness ID: CWE-862
Technical Details
The vulnerability exists because the plugin does not properly verify that a user has the upload_files capability within the process_pattern REST API endpoint. As implemented, the endpoint accepts requests that include remote image URLs; the server then downloads those images and creates media attachments in the WordPress Media Library.
Because the capability check is missing, authenticated users with contributor-level access and higher can invoke the endpoint to have the server fetch remote images and add them to the site. The root cause is an authorization bypass (CWE-862) where a required permission check is not performed before performing file/media creation operations.
The practical impact is limited to the ability to upload media via the vulnerable endpoint. The issue does not, based on the provided data, indicate direct exposure of confidential data or a means to execute remote code. However, added media could be used for further social engineering or hosting content that supports other attack vectors.
How This Could Impact Your Website
In a typical small business WordPress site, the site owner manages administrative settings, internal staff create content, and external contractors or contributors supply posts and media. If a contributor-level user is able to upload images via the vulnerable endpoint, an external contributor or compromised account could add images or files to the Media Library without the owner or administrators explicitly approving those uploads.
Practical consequences include an increased risk of targeted phishing or social engineering if attackers upload images that include deceptive links or branding, or if they host images that support malicious campaigns. Unfamiliar or unexpected media in the Media Library can also complicate content moderation and increase review workload for site administrators.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor accounts that are not required.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and the Media Library for unusual uploads or unfamiliar files.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
