VYPR
← All advisories
High severity8.8NVD Advisory· Published May 30, 2026

CVE-2026-7465

CVE-2026-7465

Description

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.19.25. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. Exploitation requires a two-block payload embedded in post content: the first block registers a fake uagb/-prefixed block type with an attacker-specified render_callback, and the second block of the same fake type triggers invocation of that callback via call_user_func() during sequential block rendering in the same page request.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated attackers with Contributor-level access can achieve remote code execution in Spectra Gutenberg Blocks plugin up to 2.19.25 via a two-block payload abusing dynamic block registration.

Vulnerability

The Spectra Gutenberg Blocks plugin (ultimate-addons-for-gutenberg) versions up to and including 2.19.25 contain a remote code execution vulnerability in the block rendering mechanism. The plugin allows dynamic registration of block types with a uagb/ prefix. An attacker can craft a post containing two blocks: the first block registers a fake block type with an attacker-controlled render_callback parameter, and the second block of the same fake type triggers invocation of that callback via call_user_func() during sequential block rendering in the same page request [1][2][3][4]. No special configuration is required beyond the default plugin installation.

Exploitation

An authenticated attacker with at least Contributor-level access (who can create and edit posts) can embed the two-block payload in post content. The first block uses the plugin's block registration logic to define a new block type with a render_callback pointing to arbitrary PHP code. The second block, of the same fake type, causes the plugin to call call_user_func() on that callback during rendering. The attack requires no additional user interaction beyond viewing the post (or the attacker triggering the render). The payload is executed server-side when the post is rendered.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server, leading to full remote code execution. This can result in complete compromise of the WordPress site, including data theft, site defacement, or further lateral movement. The attacker gains the ability to run commands, read/write files, and potentially escalate privileges.

Mitigation

The vendor has not yet released a patched version as of the publication date (2026-05-30). Users should disable the plugin or restrict Contributor-level access until a fix is available. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at this time. Monitor the plugin's update channel for a version beyond 2.19.25.

References
  1. https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-init-blocks.php#L330
  2. https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-init-blocks.php#L335
  3. https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L335
  4. https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L330

AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing validation of the render_callback parameter in block registration allows an attacker to supply an arbitrary PHP function that is later invoked via call_user_func()."

Attack vector

An authenticated attacker with Contributor-level access or above crafts a post containing two Gutenberg blocks. The first block registers a fake block type under the `uagb/-prefix` namespace and sets its `render_callback` to an arbitrary PHP function (e.g., `system`, `eval`, or a WordPress code-execution function). The second block, of the same fake type, triggers the rendering pipeline, which calls `call_user_func()` with the attacker-supplied callback, executing arbitrary PHP code on the server. The attack is performed over HTTP and requires no special configuration beyond the attacker's existing post-editing privileges. [ref_id=1]

Affected code

The vulnerability resides in the Spectra (Ultimate Addons for Gutenberg) plugin's block registration and rendering logic. The plugin does not validate or restrict the `render_callback` parameter when a block is registered with a `uagb/-prefixed` name, allowing an attacker to supply an arbitrary PHP function name. During sequential block rendering, `call_user_func()` invokes that attacker-controlled callback without sanitization. The relevant code is in `class-uagb-init-blocks.php` (ref_id=1).

What the fix does

The advisory does not include a published patch diff. The recommended remediation is to restrict the `render_callback` parameter to only allow callbacks from a predefined allowlist of safe functions, or to disallow user-supplied callbacks entirely when registering blocks under the plugin's namespace. Without a patch, the plugin remains vulnerable to authenticated RCE. [ref_id=1]

Preconditions

  • authAttacker must have at least Contributor-level access to the WordPress site.
  • inputAttacker must be able to create or edit posts containing Gutenberg blocks.
  • configThe Spectra plugin must be installed and active.

Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.