CVE-2026-10586
Description
WordPress Gutenberg Essential Blocks plugin vulnerable to SSRF, allowing authenticated users to make requests to arbitrary locations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Gutenberg Essential Blocks plugin vulnerable to SSRF, allowing authenticated users to make requests to arbitrary locations.
Vulnerability
The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to and including 6.1.3. The vulnerability exists within the save_ai_generated_image() function, which does not properly sanitize user-supplied input before making web requests.
Exploitation
An authenticated attacker with at least Author-level privileges can exploit this vulnerability. The attacker needs to trigger the save_ai_generated_image() function, likely by submitting crafted data related to AI image generation. This function then makes an outbound web request to an arbitrary URL controlled by the attacker.
Impact
Successful exploitation allows an attacker to perform Server-Side Request Forgery, enabling them to make arbitrary web requests originating from the web application. This can be leveraged to query and modify information from internal services, potentially leading to further compromise of the internal network or sensitive data disclosure.
Mitigation
Versions of the Gutenberg Essential Blocks plugin up to and including 6.1.3 are affected. A patch has been released in version 6.1.4, addressing this vulnerability. Users are strongly advised to update to version 6.1.4 or later immediately. [1]
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=6.1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `save_ai_generated_image` function does not properly validate the `image_url` parameter before making an external HTTP request."
Attack vector
An authenticated attacker with Author-level access or above can send a crafted POST request to the `save_ai_generated_image` AJAX action. This request can include a malicious `image_url` pointing to an internal service. The application will then fetch content from this arbitrary URL, originating from the web application's server, potentially leading to information disclosure or manipulation of internal services [ref_id=1].
Affected code
The vulnerability resides within the `save_ai_generated_image` function in the `AI.php` file of the Essential Blocks plugin. Specifically, the code responsible for downloading an image from a provided URL, `wp_remote_get( $image_url, [ 'timeout' => 60 ] )`, does not include sufficient validation for the `image_url` parameter [ref_id=1].
What the fix does
The patch is not provided in the bundle. The advisory indicates that the vulnerability is fixed in version 6.1.4. Remediation guidance suggests updating the plugin to the latest version to mitigate the risk of Server-Side Request Forgery.
Preconditions
- authAttacker must have at least Author-level privileges on the WordPress site.
- inputThe attacker must be able to send a POST request to the `save_ai_generated_image` AJAX endpoint.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.