Sensitive Information Exposure in Kadence Blocks Plugin for WordPress
CVE-2026-11357

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Kadence Blocks — Page Builder Toolkit For Gutenberg Editor
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-11357?

The Kadence Blocks plugin for WordPress is prone to a vulnerability that exposes sensitive information through the editor assets variables. Authenticated users with contributor-level access can leverage this flaw to retrieve critical data, including the site's connected Kadence account license key, license owner email, API key, API email, and license domain. This information can be accessed from the browser console, specifically by inspecting the window.kadence_blocks_params.proData. Exploitation requires an administrator to have already connected a Kadence license, making it accessible to any contributor in the block editor environment, without the need for server-side request manipulation.

Affected Version(s)

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor 0 <= 3.7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/kadence-blocks...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Hyun seo shin

CVE-2026-11357 Data

JSON