CVE-2026-2608

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to a broken access control issue in all versions up to and including 3.5.32. The vulnerability stems from a missing capability check on a specific function, which fails to properly verify whether the user has the required permissions to perform the action [1]. This oversight allows authenticated users with elevated privileges to bypass intended authorization boundaries.

To exploit this vulnerability, an attacker must first obtain a valid WordPress user account with at least Contributor-level access. Once authenticated, they can directly invoke the unprotected function without needing any additional authentication or nonce validation. The attack is performed over the web interface and does not require any special network position or complex prerequisites [1].

The impact of this flaw is that an authenticated Contributor or higher can perform an action that should be restricted to higher-privileged roles such as Editor or Administrator. The exact action is not detailed, but the vulnerability is classified as a broken access control issue, meaning it could allow unauthorized post publication or other sensitive operations [1]. The CVSS score of 4.3 (Medium) reflects the requirement for authentication and the limited scope of the unauthorized action.

The vendor has released version 3.6.0 of the Kadence Blocks plugin which addresses the vulnerability by implementing the missing capability check. Users are strongly advised to update to this version or later. Automated updates via a patch management tool can also be enabled to protect against exploitation [1].