– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-6703:

Atomic Edge analysis of CVE-2026-6703: The Responsive Blocks plugin for WordPress (versions 2.2.1 and earlier) contains a missing authorization vulnerability in multiple AJAX action handlers. This flaw allows authenticated attackers with contributor-level access or higher to modify global site-wide plugin configuration options. The vulnerability is rated CVSS 4.3 (Medium) due to the requirement for authenticated access, but the impact is complete compromise of plugin-level settings that affect site-wide behavior.

Root Cause: The vulnerability stems from the absence of capability checks in nine AJAX callback methods defined in the class `Responsive_Block_Editor_Addons` in file `responsive-block-editor-addons/includes/class-responsive-block-editor-addons.php`. The vulnerable methods are: `rbea_blocks_toggle()` (line 1723), `rbea_toggle_auto_block_recovery()` (line 1746), `rbea_toggle_global_inherit_from_theme()` (line 1767), `rbea_toggle_custom_css()` (line 1792), `rbea_toggle_template_library_button()` (line 1813), `rbea_save_content_width()` (line 1835), `rbea_save_container_padding()` (line 1859), and `rbea_save_container_gap()` (line 1883). Each method only verifies a nonce via `check_ajax_referer()` but does not call `current_user_can()` to check for administrator-level permissions. The nonce check alone is insufficient because valid nonces can be obtained by any authenticated user. The vulnerable AJAX actions are: `rbea_blocks_toggle`, `rbea_toggle_auto_block_recovery`, `rbea_toggle_global_inherit_from_theme`, `rbea_toggle_custom_css`, `rbea_toggle_template_library_button`, `rbea_save_content_width`, `rbea_save_container_padding`, and `rbea_save_container_gap`.

Exploitation: An attacker with contributor-level access (or higher) can forge AJAX requests to `wp-admin/admin-ajax.php` targeting any of the vulnerable actions. The attacker obtains a valid nonce from the WordPress admin page where the plugin enqueues its scripts. The nonce is typically exposed in a JavaScript variable or inline script. The attacker sends a POST request with the `action` parameter set to the vulnerable action name and the `value` parameter containing the desired setting. For example, to disable all blocks, the attacker sends `action=rbea_blocks_toggle&value=disabled&nonce=VALID_NONCE`. To modify content width, they send `action=rbea_save_content_width&value=1200&nonce=VALID_NONCE`. No administrator-level capability is required beyond being an authenticated user with a nonce.

Patch Analysis: The patch adds a capability check `current_user_can( ‘manage_options’ )` before processing each AJAX request. This check enforces that only users with the ‘manage_options’ capability (typically administrators) can execute these actions. The patch inserts the check at the beginning of each vulnerable method immediately after the nonce verification. The file also adds `ABSPATH` exit guards to several other files as hardening. The version is bumped from 2.2.1 to 2.2.2. The diff shows the exact changes:

“`
+ if ( ! current_user_can( ‘manage_options’ ) ) {
+ wp_send_json_error( array( ‘message’ => ‘Forbidden’ ), 403 );
+ return;
+ }
“`

This prevents any user without administrator privileges from making changes to global plugin settings.

Impact: Successful exploitation allows an attacker to modify global plugin configuration including: enabling or disabling custom CSS, toggling blocks on/off site-wide, changing content width defaults, adjusting container padding and gap values, and toggling auto-block-recovery behavior. This can lead to site defacement (by injecting or disabling CSS), broken layouts (by changing container dimensions), and degraded user experience. The attacker cannot escalate to full site compromise but can cause persistent visual and functional damage that requires administrator intervention to revert. The plugin’s configuration options are stored in WordPress options table and affect all pages using the plugin’s blocks.