Atomic Edge analysis of CVE-2026-2608:
This vulnerability is a missing authorization flaw in the Kadence Blocks WordPress plugin, affecting versions up to and including 3.5.32. The vulnerability allows authenticated attackers with Contributor-level permissions or higher to perform unauthorized actions, specifically creating and publishing custom post type content without proper capability checks. The CVSS score of 4.3 reflects a medium-severity issue with limited impact scope.

The root cause lies in the `process_cpt` function within the `Kadence_Blocks_Prebuilt_Library_REST_API` class. In the vulnerable version, the function processes custom post type content from imported prebuilt layouts without verifying the user’s capability to publish content. The function at line 934 in `kadence-blocks/includes/class-kadence-blocks-prebuilt-library-rest-api.php` sets the post status to ‘publish’ unconditionally when creating CPT content, bypassing WordPress’s standard publishing permissions. The function processes CPT blocks including ‘kadence/header’, ‘kadence/navigation’, ‘kadence/advanced-form’, ‘kadence/query’, and ‘kadence/query-card’ without proper authorization checks.

Exploitation requires an authenticated attacker with at least Contributor-level access to WordPress. The attacker would target the plugin’s REST API endpoint responsible for importing prebuilt layouts, specifically the endpoint that processes custom post type content. The attack vector involves sending a crafted request to the import functionality containing CPT blocks, which triggers the vulnerable `process_cpt` function. The payload would include CPT data with post content that the attacker wants to publish, exploiting the missing capability check during the import process.

The patch addresses the vulnerability by adding a capability check before setting the post status. In the patched version at line 934, the code now reads: `’post_status’ => current_user_can(‘publish_posts’) ? ‘publish’ : ‘pending’`. This change ensures that only users with the ‘publish_posts’ capability (typically Editors and Administrators) can create published CPT content during imports. Contributors and Authors without publishing rights will have their imported CPT content set to ‘pending’ status, requiring editorial review. The fix maintains the same functionality while enforcing proper WordPress capability checks.

The impact of successful exploitation allows Contributors to publish custom post type content without editorial approval, potentially enabling unauthorized content publication on affected WordPress sites. This could lead to content policy violations, SEO manipulation, or the dissemination of malicious content. While the vulnerability doesn’t provide direct privilege escalation or remote code execution, it bypasses editorial workflows and content moderation controls that are essential for multi-author WordPress installations.