Missing Authorization Vulnerability in WP Blockade Plugin for WordPress
CVE-2026-3480

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: WP Blockade – Visual Page Builder
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-3480?

The WP Blockade plugin exposes a significant vulnerability where any authenticated user can exploit missing authorization checks in the 'wp-blockade-shortcode-render' admin_post action. This issue arises due to the absence of capability checks and nonce verification in the render_shortcode_preview() function. Consequently, users with at least Subscriber-level access are able to execute arbitrary shortcodes by providing a user-supplied 'shortcode' parameter. This poses serious risks, including unauthorized information disclosure and potential privilege escalation, as malicious shortcodes from other plugins may access sensitive data or execute unintended actions on the site.

Affected Version(s)

WP Blockade – Visual Page Builder 0 <= 0.9.14

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-blockade/tr...

https://plugins.trac.wordpress.org/browser/wp-blockade/ta...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 3, 2026

Credit

Youcef Hamdani

CVE-2026-3480 Data

JSON