CVE-2026-7465: Authenticated RCE in Spectra Gutenberg Blocks
| Field | Value |
|---|---|
| CVE ID | CVE-2026-7465 |
| CVSS score | 8.8 |
| Attack vector | Authenticated remote code execution |
| Auth required | Yes — Contributor-level access or higher |
| Patch status | Update available; NVD confirms versions through 2.19.25 are vulnerable. Exact first fixed version is not explicitly stated in the retrieved advisory material; WordPress.org showed 2.19.28 as current at research time |
TL;DR - High-severity authenticated RCE in Spectra Gutenberg Blocks for WordPress. - Affects all versions through 2.19.25; Contributor+ can trigger it. - Upgrade urgently and audit recent posts, users, and plugin versions.
What defenders need to know
CVE-2026-7465 is a high-severity authenticated remote code execution vulnerability in the Spectra Gutenberg Blocks – Website Builder for the Block Editor WordPress plugin from Brainstorm Force. NVD states the issue affects all versions up to and including 2.19.25. The key operational detail is that the flaw is exploitable by an authenticated attacker with Contributor-level access or higher, which puts many multi-author WordPress deployments squarely in scope.
This is not an edge-case admin-only issue. Contributor is a relatively low privilege level in many publishing workflows, membership sites, agency-managed environments, and SMB sites where multiple users create content. If a Contributor account is compromised through phishing, credential reuse, weak passwords, or another plugin flaw, CVE-2026-7465 can potentially turn that foothold into server-side code execution.
The vulnerability is serious because it crosses the usual boundary between content creation and code execution. Based on the NVD description, exploitation abuses how blocks are registered and rendered, allowing an attacker-controlled callback to be invoked during page rendering. For defenders, that means post content itself can become the delivery vehicle, so standard “only admins can install code” assumptions are not enough.
Technical Notes
The authoritative affected version range from the retrieved source material is:
- Affected:
all versions up to and including 2.19.25 - Exact first fixed version: unknown from retrieved primary-source advisory text
- Currently observed version on WordPress.org at research time:
2.19.28
If you do not yet know whether your site is affected, verify the installed plugin version directly:
wp plugin list | grep ultimate-addons-for-gutenberg
Or inspect the plugin metadata on disk:
grep -E '^Version:' wp-content/plugins/ultimate-addons-for-gutenberg/ultimate-addons-for-gutenberg.php
If your environment is containerized or managed via CI, inventory plugin versions across fleets:
find /var/www -path "*/wp-content/plugins/ultimate-addons-for-gutenberg/ultimate-addons-for-gutenberg.php" \
-exec grep -H -E '^Version:' {} \
;
Affected products and version details
The affected product is the WordPress plugin Spectra Gutenberg Blocks – Website Builder for the Block Editor, distributed under the slug ultimate-addons-for-gutenberg and attributed to Brainstorm Force. Per the NVD record, all versions up to and including 2.19.25 are vulnerable. That version range is the strongest confirmed statement available in the provided research.
One important nuance: the retrieved material does not explicitly identify the first patched release. WordPress.org showed 2.19.28 as the current plugin version at research time, which strongly suggests a newer, presumably non-vulnerable version is available. However, because the source set does not include a vendor advisory or changelog entry explicitly saying “fixed in X,” defenders should avoid overstating precision. The accurate defensive position is: 2.19.25 and earlier are confirmed vulnerable; upgrade to the latest available release immediately.
If you are maintaining compliance records or internal patch documentation, note the distinction between confirmed vulnerable through and confirmed fixed in. This matters when reporting to stakeholders. In the absence of explicit vendor patch language in retrieved sources, assume any version newer than 2.19.25 should still be validated against vendor release notes before closing the incident record, even if immediate operational mitigation is to move to the latest version.
Technical Notes
A quick fleet audit table can help prioritize remediation:
| Installed version | Risk status |
|---|---|
| 2.19.25 or earlier | Confirmed vulnerable per NVD |
| 2.19.26+ | Not confirmed vulnerable by retrieved NVD range, but exact first fixed version was not explicitly stated |
| 2.19.28 | Current observed version on WordPress.org at research time; preferred upgrade target from retrieved data |
Example WP-CLI for a direct version check on a host:
wp plugin get ultimate-addons-for-gutenberg --field=version
If WP-CLI is unavailable, query WordPress options and filesystem metadata as fallback:
php -r "include 'wp-load.php'; echo get_plugin_data('wp-content/plugins/ultimate-addons-for-gutenberg/ultimate-addons-for-gutenberg.php')['Version'] . PHP_EOL;"
How the vulnerability works
According to the NVD description, exploitation requires a two-block payload embedded in post content. The first malicious block registers a fake block type with a uagb/ prefix and an attacker-controlled render_callback. The second malicious block uses that same fake type so that, during sequential rendering in the same request, the callback is invoked through call_user_func().
From a defender’s perspective, the important takeaway is not just “RCE exists,” but where the trust boundary fails. Content rendering should not allow lower-privilege users to influence server-side callback execution in a way that leads to arbitrary code paths. The described behavior suggests that block registration and rendering logic did not sufficiently constrain the relationship between content-defined block structures and permissible callbacks.
This kind of flaw is especially dangerous in WordPress because content passes through multiple systems: the editor, revision history, autosaves, preview rendering, front-end rendering, and plugins that preprocess blocks. Even if no malware file is uploaded, a crafted post may be enough to trigger vulnerable rendering logic when previewed or viewed. That expands the blast radius beyond classic “malicious plugin install” scenarios.
Technical Notes
NVD references vulnerable logic in the plugin file below, although the exact code could not be quoted from the retrieved browser session:
classes/class-uagb-init-blocks.php- NVD-linked line references around
#L330and#L335
Referenced URLs from NVD:
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L330
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L335
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-init-blocks.php#L330
https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-init-blocks.php#L335
Given the NVD description, defenders should specifically assume risk from post content containing suspicious uagb/ block declarations and unusual callback-oriented block structures, even if exact payload syntax is not published.
Exploitation status and threat assessment
Based on the retrieved sources, exploitation in the wild is not confirmed. The CVE is not listed in CISA KEV at the time of research. That means there is no authoritative U.S. government confirmation of active exploitation from KEV status alone, and no CISA remediation deadline applies here.
Also based on the retrieved sources, no public PoC is confirmed. The research note explicitly states no confirmed public exploit repository or GitHub proof-of-concept was found during the session. That said, the lack of a known public PoC should not materially reduce urgency. The NVD description is detailed enough that capable attackers may be able to reproduce the exploit path from the vulnerability mechanics alone, especially in a popular WordPress plugin ecosystem.
For prioritization, the right reading is: no confirmed PoC and no confirmed in-the-wild exploitation from retrieved sources, but a practical and high-impact authenticated RCE in a common CMS plugin. If your environment allows broad Contributor access, outsourced content creation, or weak identity hygiene, this deserves prompt action.
Technical Notes
Current status from retrieved sources:
| Question | Status |
|---|---|
| Confirmed exploited in the wild? | No confirmed evidence in retrieved sources |
| Listed in CISA KEV? | No |
| Public PoC confirmed? | No confirmed evidence in retrieved sources |
| Should defenders wait for exploitation proof? | No — treat as urgent because impact is RCE and required privileges are relatively low |
In the absence of confirmed exploitation telemetry, defenders should assume attackers may pivot from: - stolen Contributor credentials, - compromised SSO-backed WordPress accounts, - chained lower-severity plugin flaws that yield content-edit capability.
Bottom line
CVE-2026-7465 is a high-impact WordPress plugin flaw because it gives Contributor+ users a path to server-side code execution on affected Spectra Gutenberg Blocks installs. The confirmed vulnerable range is all versions through 2.19.25. The exact first fixed version is not explicitly stated in the retrieved source material, but a newer release, 2.19.28, was publicly visible on WordPress.org at research time.
There is no confirmed public PoC and no confirmed in-the-wild exploitation in the retrieved sources, and the CVE is not on CISA KEV as of this writing. Defenders should not take comfort from that absence. For multi-user WordPress environments, especially those with many Contributors or weaker identity controls, this is an urgent patch-and-review issue. Upgrade now, audit recently modified posts, and investigate suspicious Contributor activity.
For further reading, check out our articles on how to spot social engineering attacks and what is consent phishing.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Detection and hunting guidance
Detection should focus on three areas: plugin version exposure, suspicious content changes, and runtime signs of abnormal block rendering. Start with asset inventory to identify any site running 2.19.25 or earlier. Then pivot into content and audit trails: recently created or modified posts by Contributor users are a high-value review set, especially if they contain unexpected custom block markup or unexplained rendering behavior.
Because the available source material does not provide a canonical exploit string, defenders should avoid brittle signatures that rely on one exact payload. Instead, hunt for indicators aligned to the described exploit chain: suspicious uagb/ block references, unusual callback-related content, post previews or page loads followed by PHP errors, and content changes from low-privilege users that correlate with anomalous server behavior.
You should also review WordPress user management and editorial patterns. A Contributor account suddenly creating drafts with dense HTML comments, odd block JSON, or unexpected block names is worth investigation. If logging is limited, pull post revisions from the database and compare changes across the affected period.
Technical Notes
Example SQL to review recently modified posts for suspicious uagb/ references:
SELECT ID, post_author, post_date, post_modified, post_status, post_title
FROM wp_posts
WHERE post_content LIKE '%uagb/%'
ORDER BY post_modified DESC
LIMIT 100;
Example SQL to isolate likely suspicious custom callback-related content in posts:
SELECT ID, post_author, post_modified, post_title
FROM wp_posts
WHERE post_content LIKE '%uagb/%'
AND (
post_content LIKE '%render_callback%'
OR post_content LIKE '%call_user_func%'
)
ORDER BY post_modified DESC;
WP-CLI content grep on a host:
wp post list --post_type=post,page --format=ids | tr ' ' '\n' | while read id; do
wp post get "$id" --field=content | grep -nE 'uagb/|render_callback|call_user_func' && echo "POST_ID=$id"
done
Concrete log pattern to hunt in web or PHP logs:
render_callback
uagb/
call_user_func
class-uagb-init-blocks.php
ultimate-addons-for-gutenberg
Example grep across Apache/Nginx/PHP logs:
grep -RniE 'render_callback|uagb/|call_user_func|class-uagb-init-blocks\.php|ultimate-addons-for-gutenberg' \
/var/log/nginx /var/log/apache2 /var/log/php* 2>/dev/null
If you centralize logs in Splunk, a practical hunt query is:
index=web OR index=app
("class-uagb-init-blocks.php" OR "ultimate-addons-for-gutenberg" OR "render_callback" OR "call_user_func" OR "uagb/")
| stats count by host, source, uri_path, user, src_ip
| sort - count
Mitigation and patching
The primary mitigation is straightforward: upgrade immediately if you are running 2.19.25 or earlier. Because the exact first fixed version is not explicitly named in the retrieved advisories, the safest practical guidance is to upgrade to the latest available version. At research time, WordPress.org showed 2.19.28 as the current version.
If you cannot patch immediately, reduce exploitability by tightening permissions around content creation and publication. Since the vulnerability requires Contributor-level access or higher, temporarily limiting or suspending Contributor accounts on exposed sites is a meaningful risk-reduction measure. This is especially relevant for sites with infrequently used accounts, agency users, contractors, or recently onboarded authors.
A second mitigation track is content review and plugin disablement. If patching must be delayed, review recent posts and drafts for suspicious block structures and consider temporarily disabling the plugin on high-risk systems. That may impact site functionality, but for internet-facing sites with many content authors, temporary feature loss may be preferable to leaving an authenticated RCE exposed.
Technical Notes
Upgrade with WP-CLI:
wp plugin update ultimate-addons-for-gutenberg
If you manage exact versions and have validated 2.19.28 internally:
wp plugin install ultimate-addons-for-gutenberg --version=2.19.28 --force
Verify after upgrade:
wp plugin get ultimate-addons-for-gutenberg --fields=name,status,version,update_version
Temporary workaround if patching is not immediately possible:
wp plugin deactivate ultimate-addons-for-gutenberg
To reduce exposure from low-privileged users while patching is staged, enumerate Contributors:
wp user list --role=contributor --fields=ID,user_login,user_email,registered
Then disable or reset at-risk accounts using your normal identity process. If you must keep the plugin enabled, at minimum: - restrict Contributor and Author roles, - review recent post revisions, - enforce MFA where available, - rotate credentials for shared editorial accounts.
Response checklist for admins and SOC teams
For WordPress administrators, the immediate actions are: identify affected instances, upgrade the plugin, and review recent content and user activity. Make sure the version check is not limited to production only; staging, pre-production, and forgotten microsites often lag behind and are common attacker footholds.
For SOC and IR teams, treat this as a potential post-compromise escalation vector. If you already have evidence of suspicious Contributor logins, anomalous post creation, or unexplained PHP execution on a WordPress host, include CVE-2026-7465 in the hypothesis set. Preserve web server logs, PHP logs, WordPress audit logs, and post revision history before cleanup. Content-based exploitation can leave more evidence in the CMS and database than in the filesystem.
A pragmatic triage sequence is to confirm version, inspect recent drafts/posts by non-admin users, search logs for the strings listed above, and then decide whether broader host compromise assessment is needed. Because the impact is RCE, any sign of successful exploitation should trigger host-level investigation, including web shell checks, cron persistence review, unexpected admin account creation, and outbound connection analysis.
Technical Notes
Useful IR commands:
wp post list --post_status=any --orderby=modified --order=DESC --format=table
wp user list --fields=ID,user_login,roles,user_registered,display_name
find wp-content/uploads -type f \( -name "*.php" -o -name "*.phtml" -o -name "*.php*" \) -print
grep -RniE 'eval\(|base64_decode\(|system\(|shell_exec\(|assert\(' wp-content 2>/dev/null
References
Primary sources used for this article:
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-7465
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- WordPress.org plugin page: https://wordpress.org/plugins/ultimate-addons-for-gutenberg/
- WordPress.org plugin markdown output: https://wordpress.org/plugins/ultimate-addons-for-gutenberg/?output_format=md
NVD-listed code references:
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L330
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L335
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-init-blocks.php#L330
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-init-blocks.php#L335