Security Alert Summary
The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is affected by a remote code execution vulnerability (CVE-2026-7465). Authenticated users with Contributor-level access and above can execute code on the server by embedding a specially crafted two-block payload in post content that registers and then invokes an attacker-specified render callback.
CVE Details
- CVE ID:
CVE-2026-7465 - Affected component: The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress
- Affected versions: all versions up to, and including, 2.19.25
- Published: May 30, 2026 at 10:16:23 AM
- Last modified: May 30, 2026 at 10:16:23 AM
- CVSS v3.1: Base Score 8.8, Severity HIGH, Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - Authentication / privileges / user interaction: Authenticated attack required; CVSS Privileges Required: LOW (description specifies Contributor-level access and above); User Interaction: NONE
- Primary impact: Confidentiality: High; Integrity: High; Availability: High
- Weakness (CWE): CWE-269
Technical Details
The vulnerability is triggered by a two-block payload placed in post content. The first block registers a fake block type with a name prefixed by uagb/ and supplies an attacker-controlled render_callback. During rendering of the same page request, a second block of that fake type is rendered sequentially, which causes the plugin to invoke the attacker-specified callback via call_user_func(). Because the attacker controls the callback, this sequence permits execution of code on the server when performed by an authenticated user with Contributor-level access or higher.
This issue exists because the plugin allows registration and rendering of a fake uagb/-prefixed block type with an attacker-specified render callback during normal content rendering, and that callback is invoked via call_user_func() without the protections described in the advisory. The direct result is the ability for an authenticated low-privilege user to cause server-side code execution by embedding the two-block payload in post content.
How This Could Impact Your Website
In a typical small business WordPress site, multiple people may have content-related access: a site owner or administrator, internal staff editors, and external contributors or contractors. If a contributor account is used to create or edit posts, an attacker with Contributor-level access could embed the two-block payload in content. When an editor or a visitor loads the page and the blocks render during the same request, the attacker-supplied callback can execute on the server.
Practical consequences include exposure of sensitive data accessible to server-side code and an increased risk of targeted phishing or social engineering if internal email addresses or other user details are accessed. The attack does not necessarily imply full site takeover in every case, but it does allow high-impact actions that affect confidentiality, integrity, and availability according to the CVSS metrics.
If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially Contributor-level accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior, especially unexpected content registrations or block render operations.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L330
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L335
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-init-blocks.php#L330
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-init-blocks.php#L335
- https://wordpress.org/plugins/ultimate-addons-for-gutenberg/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/60013752-d7cf-46e8-84e1-1b614f737b46?source=cve