CVE-2026-13756: WP Grid Builder Privilege Escalation
TL;DR - Authenticated users can escalate to Administrator in WP Grid Builder through version 2.3.3. - Affected sites should upgrade immediately and audit role changes plus requests to
/wp-json/wpgb/v2/metadata. - No confirmed exploitation in the wild has been cited, but the impact is high.
Vulnerability at a Glance
| Field | Value |
|---|---|
| CVE ID | CVE-2026-13756 |
| CVSS | 8.8 (High) |
| Attack vector | Network via WordPress REST API |
| Privileges required | Authenticated user, Subscriber-level or above |
| Patch available | Yes, update to a version later than 2.3.3; 2.3.4 or newer is the likely fixed boundary based on NVD wording, but defenders should confirm vendor changelog details directly |
This vulnerability affects the WP Grid Builder plugin for WordPress and allows a logged-in low-privilege user to elevate privileges to Administrator. The vulnerable path is the plugin REST endpoint at /wp-json/wpgb/v2/metadata, specifically the update() handler.
The practical risk is straightforward: if your site allows user registration or has many low-privilege accounts, an attacker who can authenticate may be able to turn a Subscriber account into an Administrator account. From there, full site compromise is usually only a few clicks away through plugin installation, theme editing, or user management.
What Is This Vulnerability?
CVE-2026-13756 is an authenticated privilege-escalation flaw caused by missing authorization checks and insufficient validation of metadata keys in the WP Grid Builder REST API metadata update handler. According to NVD, the issue exists in all versions up to and including 2.3.3.
The dangerous part is that the endpoint can be abused to modify user metadata that should never be writable by low-privilege users. In WordPress, wp_capabilities is a highly sensitive user meta field because it defines the user’s role assignments. If a plugin permits arbitrary or insufficiently filtered writes to that field, even indirectly through a crafted nested array payload, an attacker can assign themselves the Administrator role.
In other words, this is not just a generic input-validation bug. It is a role-integrity failure. The vulnerable code path appears to let an authenticated user influence metadata updates without strictly enforcing whether that user is authorized to touch a sensitive meta key, and without sufficiently constraining the shape or nesting of submitted data.
Technical Notes
A representative abuse path, based on the NVD description, is:
- Attacker authenticates as a Subscriber or higher.
- Attacker sends a crafted request to
/wp-json/wpgb/v2/metadata. - The vulnerable
update()handler accepts a nested payload that reacheswp_capabilities. - WordPress stores attacker-controlled role data in user meta.
- The attacker receives Administrator privileges.
Sensitive WordPress user meta involved in this class of issue:
wp_capabilities
wp_user_level
Any plugin endpoint that can write arbitrary user meta, especially via REST, should be treated as high risk unless it strictly enforces both: - object-level authorization, and - an allowlist of safe meta keys.
Who Is Affected?
The affected product is the WP Grid Builder plugin for WordPress. Based on the available source material, the vulnerable version range is explicitly:
- All versions up to and including 2.3.3
- shorthand:
<= 2.3.3
The attacker must be authenticated. NVD states exploitation is possible for users with Subscriber-level access and above. This issue is especially relevant for WordPress deployments that allow public user registration, community access, customer accounts, membership accounts, or any workflow that creates non-admin user accounts at scale.
The exact fixed version is not quoted in the source text provided here, but the NVD wording strongly implies the flaw is remediated in a version newer than 2.3.3. The safest actionable guidance is to update to the latest available WP Grid Builder release. In the absence of a directly quoted vendor fix line from the changelog text available here, defenders should assume 2.3.4 or later is the likely patched boundary and verify against the vendor changelog before change approval.
Technical Notes
To identify installed plugin versions from a WordPress host, admins can check:
wp plugin list | grep -i "wp-grid-builder"
Or inspect the plugin readme/header on disk:
grep -R "Version:" /var/www/html/wp-content/plugins/wp-grid-builder/ | head
If your environment uses immutable containers or managed hosting, also verify the plugin version from the WordPress admin UI and from deployment manifests, since filesystem state may not reflect the currently mounted release package.
CVSS Score Breakdown
NVD scores CVE-2026-13756 at 8.8 High. The exact vector string was not returned in the provided research note, so defenders should avoid assuming the unquoted component values beyond what is supported by the description. Still, the narrative around the score is clear: this is a high-impact bug because it enables privilege escalation to Administrator from a low-privilege authenticated starting point.
The most important score driver is impact. Administrator-level access in WordPress often means complete control of the site, its content, its users, and often underlying code execution paths through plugin or theme management. Even though authentication is required, Subscriber-level access is a low bar in many real deployments. That makes the vulnerability operationally serious for internet-facing WordPress sites that permit account creation or that have many user accounts.
The attack vector is network-reachable because the issue is exposed through a REST endpoint. Privileges required are low, not none, which likely keeps the score below critical. User interaction does not appear necessary once the attacker is authenticated and can submit the crafted payload.
Because the exact CVSS vector is not available in the material provided here, defenders should treat the component-level breakdown as partially unknown and rely on the confirmed facts: network exposure, authenticated low-privilege exploitation, and high integrity impact due to admin role assignment.
Exploitation Status
At the time of writing, the available sources do not confirm active exploitation in the wild for CVE-2026-13756. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog based on the provided KEV lookup result. That means there is no CISA-backed confirmation of current exploitation.
Likewise, no verified public proof-of-concept repository was established from the sources retrieved for this task. That does not prove that no PoC exists. It only means none was confirmed from the available evidence. Defenders should avoid the false comfort of “no PoC found” because this vulnerability class is straightforward for capable attackers to reproduce from the vulnerability description alone.
For risk handling, the right assumption is: exploitation is plausible even if not publicly confirmed. The endpoint is exposed over HTTP, the required privilege level is low, and the target field (wp_capabilities) is well understood by WordPress attackers and researchers.
Technical Notes
Current known status from provided sources:
- Public PoC: Unknown / not verified from retrieved sources
- In-the-wild exploitation: Not confirmed from retrieved sources
- CISA KEV: No
Operationally, treat this as a high-priority patch because: - exploit development complexity appears modest, - post-exploitation impact is severe, - many WordPress sites have numerous low-privilege accounts.
How to Detect It
Detection should focus on two things: suspicious access to the vulnerable REST endpoint and anomalous role changes in WordPress user metadata. Because the attack is authenticated, standard “unauthenticated scan” logic will miss it. You need to correlate requests from ordinary user accounts with role or capability changes soon afterward.
Start with web server logs and reverse proxy logs. Search for POST, PUT, or PATCH-style requests to /wp-json/wpgb/v2/metadata, especially from accounts that should not be performing administrative or profile-management actions involving role metadata. Then pivot into WordPress audit logs, database history if available, and plugin security logs to identify whether wp_capabilities changed for the same user account.
Technical Notes
Example web log grep for Apache or Nginx combined logs:
grep -E '(/wp-json/wpgb/v2/metadata)' /var/log/nginx/access.log /var/log/apache2/*access*.log
Example pattern to flag suspicious requests to the vulnerable endpoint:
POST /wp-json/wpgb/v2/metadata
If your logs include request bodies through a WAF, reverse proxy, or API gateway, look for references to sensitive meta keys such as:
wp_capabilities
administrator
Example Splunk search:
index=web_logs (uri_path="/wp-json/wpgb/v2/metadata" OR uri="/wp-json/wpgb/v2/metadata")
| stats count min(_time) as first_seen max(_time) as last_seen by src_ip http_method user user_agent status
| sort - count
Example Sigma-style logic idea for HTTP logs:
title: WP Grid Builder Metadata Endpoint Access
logsource:
category: webserver
detection:
selection:
cs-uri-stem: "/wp-json/wpgb/v2/metadata"
condition: selection
level: medium
To review WordPress roles directly in the database, investigate unexpected administrator assignments:
SELECT user_id, meta_key, meta_value
FROM wp_usermeta
WHERE meta_key = 'wp_capabilities'
AND meta_value LIKE '%administrator%';
Also review recently modified or newly created admin users in the WordPress admin panel and any security plugin audit trails. If you lack request-body visibility or DB change auditing, assume a successful exploit may leave only indirect indicators such as a role change followed by plugin installation, new scheduled tasks, or unfamiliar admin logins.
Mitigation and Patching
The primary mitigation is to upgrade WP Grid Builder to a version newer than 2.3.3. Based on the NVD affected-version statement, 2.3.4 or later is the likely fixed range, but because the exact vendor changelog line was not visible in the retrieved source content for this task, defenders should verify the vendor changelog directly and preferably install the latest available release rather than only the minimum inferred version.
Patching should be accompanied by compromise assessment. Because this bug can grant Administrator rights, simply updating the plugin may stop new exploitation while leaving attacker-created admin accounts or backdoors in place. Review all administrator accounts, role changes, and plugin/theme modifications made since the vulnerable plugin was deployed.
If immediate patching is not possible, reduce exposure by disabling the vulnerable plugin temporarily, restricting user registration, limiting low-privilege account access, and placing compensating controls around the vulnerable endpoint through a WAF or reverse proxy. Those workarounds are weaker than patching because authenticated traffic from legitimate users may still pass through, and endpoint blocking can affect plugin functionality.
Technical Notes
Upgrade with WP-CLI:
wp plugin update wp-grid-builder
If you need to pin or install a known-safe later version after verification:
wp plugin install wp-grid-builder --force
Temporarily deactivate the plugin if emergency containment is required:
wp plugin deactivate wp-grid-builder
Example Nginx emergency block for the vulnerable endpoint while evaluating impact:
location = /wp-json/wpgb/v2/metadata {
deny all;
return 403;
}
Post-patch validation steps:
wp plugin list | grep -i "wp-grid-builder"
wp user list --role=administrator
Then review for unauthorized admins and reset credentials where needed. If compromise is suspected: - remove unapproved admin users, - rotate administrator passwords, - rotate application passwords and API tokens, - inspect installed plugins and themes for persistence, - compare core files and plugin directories against known-good baselines.
References
Primary reference for the vulnerability details is the NVD entry for CVE-2026-13756, which describes the flaw as a privilege-escalation issue in WP Grid Builder caused by missing authorization and meta key validation in the /wp-json/wpgb/v2/metadata update() handler. The NVD record also states the affected range as all versions up to and including 2.3.3 and identifies Subscriber-level authenticated access as sufficient for exploitation.
A secondary reference is the Wordfence vulnerability record, which tracks the issue in the WordPress security ecosystem. The WP Grid Builder project site and changelog are also relevant for validating the fixed release and operational update guidance. Because the exact vendor patch note text was not available in the research material provided here, defenders should consult the changelog directly before documenting a formal minimum fixed version in internal advisories.
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-13756
- WP Grid Builder project site: https://wpgridbuilder.com
- WP Grid Builder changelog: https://docs.wpgridbuilder.com/changelog/
- Wordfence record: https://www.wordfence.com/threat-intel/vulnerabilities/id/6a42e0e8-a8c7-4bc5-80ca-5ef69d1f0b6c?source=cve
For further understanding of related vulnerabilities, you can check out our articles on CVE-2026-44748 and What is Zero Trust Architecture?.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.