Security Alert Summary
The Gutenberg Blocks with AI by Kadence WP plugin contains a missing authorization vulnerability that allows authenticated users with Contributor-level access and above to upload images from remote URLs into the WordPress Media Library. The issue is caused by an incomplete capability check in the plugin’s AJAX handler, which permits file uploads that should be restricted to users with the upload_files capability.
CVE Details
- CVE ID: CVE-2026-2633
- Affected component: Gutenberg Blocks with AI by Kadence WP plugin for WordPress
- Affected versions: All versions up to and including 3.6.1
- Published: February 18, 2026 at 07:16:10 AM UTC
- Last modified: February 18, 2026 at 07:16:10 AM UTC
- CVSS v3.1: Base Score 4.3 (MEDIUM) — Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - Authentication / privileges / user interaction: Requires an authenticated user with low privileges (Contributor-level and above). No user interaction required (UI:N).
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- CWE / weakness: CWE-862 (Missing Authorization)
Technical Details
The plugin’s AJAX handler process_image_data_ajax_callback() processes the kadence_import_process_image_data AJAX action. The function relies on a helper verify_ajax_call() to perform an authorization check, but that check only validates the edit_posts capability and does not verify the required upload_files capability. Because Contributors typically have edit_posts but not upload_files, the missing check allows authenticated users at Contributor level and above to trigger image import from remote URLs and add those images to the WordPress Media Library.
The vulnerability exists due to the missing capability verification; it permits an action that the WordPress capability model is intended to restrict. The impact is limited to the ability to upload arbitrary images to the Media Library and does not, based on the CVE data, indicate additional privilege escalation or remote code execution.
How This Could Impact Your Website
In a multi-user site, a typical scenario could involve a site owner, internal editors, and external contributors. An external contributor who should only be able to submit posts could exploit this issue to upload arbitrary images into the Media Library. Those uploads could be publicly accessible or viewable by other users with media access, increasing the risk of targeted social engineering or phishing if images contain links or content used to impersonate staff or services. Site maintainers may also see unexpected media entries that complicate content management and review processes.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles, especially Contributor-level accounts that do not need upload capabilities.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and the Media Library for unusual or unexpected uploads.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.5.32/includes/class-kadence-blocks-prebuilt-library.php#L1177
- https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.5.32/includes/class-kadence-blocks-prebuilt-library.php#L789
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3454881%40kadence-blocks%2Ftrunk&old=3453204%40kadence-blocks%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9c06e0a9-a13a-4cee-a1a5-c43c114b2dbf?source=cve
