High severity8.8NVD Advisory· Published Feb 11, 2026· Updated Apr 15, 2026
CVE-2026-1560
CVE-2026-1560
Description
The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-blocks.phpnvd
- plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-blocks.phpnvd
- plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-rest.phpnvd
- plugins.trac.wordpress.org/changeset/3454012/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/b1853c88-277b-4955-b042-aeed1cffb49bnvd
News mentions
0No linked articles in our index yet.