Insecure Direct Object Reference in Kadence Blocks by Kadence WP
CVE-2026-12904
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-12904?
The Kadence Blocks plugin for WordPress contains a vulnerability that permits authenticated attackers to read or delete optimizer analysis records from other users' posts. This is due to a failure in appropriately linking the authorization checks against a user-supplied post_id with the attacker's ability to provide a separate post_path parameter. Consequently, users with Contributor-level access and above can exploit this mismatch in the Optimize_Rest_Controller's endpoints including create_item(), get_item(), delete_item(), and bulk_delete_items(), leading to unauthorized access of potentially sensitive data.
Affected Version(s)
Kadence Blocks β Page Builder Toolkit for Gutenberg Editor 0 <= 3.7.7