Missing Authorization in Gutenberg Blocks with AI Plugin for WordPress by Kadence WP
CVE-2026-2633

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Kadence Blocks — Page Builder Toolkit For Gutenberg Editor
Vendor
CVE Published:
18 February 2026

What is CVE-2026-2633?

The Gutenberg Blocks with AI plugin by Kadence WP for WordPress is affected by a missing authorization vulnerability in its AJAX handling function. Specifically, the function process_image_data_ajax_callback() lacks proper capability checks, allowing authenticated users with Contributor-level access or higher to upload arbitrary images from remote URLs to the WordPress Media Library. This bypasses the standard WordPress restriction that generally prevents Contributors from uploading files, posing a significant risk of abuse in user-generated content environments.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor * <= 3.6.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/kadence-blocks...
https://plugins.trac.wordpress.org/browser/kadence-blocks...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ali Sünbül
JSON
.