Authorization Bypass Vulnerability in Kadence Blocks Plugin for WordPress
CVE-2026-12902

4.3MEDIUM

What is CVE-2026-12902?

The Kadence Blocks plugin for WordPress allows authenticated users with contributor-level access and higher to exploit an authorization bypass vulnerability. This flaw occurs because the plugin fails to adequately verify a user's permissions before allowing actions on the Media Library. As a result, attackers can create and upload arbitrary media files to the site's uploads directory by utilizing functions like wp_upload_bits() and wp_insert_attachment(). This can lead to unauthorized access to sensitive media uploads, highlighting the importance of using the most recent version of the plugin to ensure proper security measures are in place.

Affected Version(s)

Kadence Blocks β€” Page Builder Toolkit for Gutenberg Editor 0 <= 3.7.7

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

se1en
.