We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Responsive Blocks – Page Builder for Blocks & Patterns Plugin Vulnerability (CVE-2026-6675)

Nick Paliughi
On this page

Security Alert Summary

The Responsive Blocks – Page Builder for Blocks & Patterns WordPress plugin contains an unauthenticated open email relay vulnerability (CVE-2026-6675). Due to insufficient authorization checks and missing server-side validation of recipient email addresses on a public REST API route, an attacker can cause the site to send arbitrary email to recipients of their choosing.

CVE Details

  • CVE ID: CVE-2026-6675
  • Affected component: Responsive Blocks – Page Builder for Blocks & Patterns plugin
  • Affected versions: All versions up to and including 2.2.0
  • Published: April 21, 2026 at 03:16:09 AM
  • Last modified: April 21, 2026 at 03:16:09 AM
  • CVSS v3.1: Base Score 5.3, Severity MEDIUM, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Authentication / Privileges / User Interaction: Authentication not required; Privileges Required: NONE; User Interaction: NONE; Attack Vector: NETWORK; Attack Complexity: LOW; Scope: UNCHANGED
  • Primary impact: Confidentiality: NONE; Integrity: LOW; Availability: NONE
  • Weakness (CWE): CWE-20 (Improper Input Validation)

Technical Details

The vulnerability is an unauthenticated open email relay. A public REST API route in the plugin accepts a recipient email address without proper server-side validation and lacks sufficient authorization checks. Because the API endpoint does not verify the recipient address or require authentication, an unauthenticated attacker can submit arbitrary recipient addresses and trigger the site to send email to those addresses through the site mail system.

References in the advisory point to the plugin file class-responsive-block-editor-addons.php (see references below) where the relevant route handling and email sending logic are implemented. The root cause is missing input validation and missing authorization checks on a public REST API route rather than a flaw in the mail transport itself.

Impact is limited to the ability to send arbitrary outgoing mail (integrity impact). The site content and stored confidential data are not indicated as directly exposed by the provided information.

How This Could Impact Your Website

Consider a small organization running this plugin: the site owner maintains content, internal staff manage editorial workflows, and an external contractor contributes blocks or patterns. An attacker could use the vulnerable API route to send arbitrary emails that appear to originate from the site. Practical consequences may include increased spam volume sent from your domain, degraded email deliverability, and heightened risk of targeted phishing or social engineering attacks that leverage the site as a trusted sender.

The site owner and staff may see outgoing mail logs and bounce messages increase, and external recipients could be exposed to malicious or fraudulent messages seemingly sent from your site. If you need assistance determining whether your site is affected or how to assess current user roles and plugins, professional review may be worth considering.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level and similar roles with publishing or API access.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins and limit public-facing APIs where possible.
  • Monitor site activity and outgoing mail logs for unusual behavior, spikes in sent mail, or unfamiliar recipient addresses.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Image Source Control Lite – Show Image Credits and Captions Plugin Vulnerability (CVE-2026-4852)
Next Post
HTTP Headers Plugin Vulnerability (CVE-2026-2717)