Authorization Bypass Vulnerability in Kadence Blocks Plugin for WordPress
CVE-2026-12902
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-12902?
The Kadence Blocks plugin for WordPress allows authenticated users with contributor-level access and higher to exploit an authorization bypass vulnerability. This flaw occurs because the plugin fails to adequately verify a user's permissions before allowing actions on the Media Library. As a result, attackers can create and upload arbitrary media files to the site's uploads directory by utilizing functions like wp_upload_bits() and wp_insert_attachment(). This can lead to unauthorized access to sensitive media uploads, highlighting the importance of using the most recent version of the plugin to ensure proper security measures are in place.
Affected Version(s)
Kadence Blocks β Page Builder Toolkit for Gutenberg Editor 0 <= 3.7.7