Unauthenticated Open Email Relay Vulnerability in Responsive Blocks – Page Builder for Blocks & Patterns Plugin from WordPress
CVE-2026-6675

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Responsive Blocks – Page Builder For Blocks & Patterns
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-6675?

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to an unauthenticated open email relay issue, which affects all versions up to and including 2.2.0. The vulnerability arises from inadequate authorization checks and a lack of validation for the recipient's email address supplied through a public REST API route. As a result, attackers without authentication can exploit the flaw to send arbitrary emails, potentially leading to spam abuse and reputational damage for affected websites. This vulnerability underscores the importance of implementing strict validation and authorization mechanisms to safeguard against unauthorized email transmission.

Affected Version(s)

Responsive Blocks – Page Builder for Blocks & Patterns 0 <= 2.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/responsive-blo...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Even Stokkedalen

CVE-2026-6675 Data

JSON