Vulnerability Report

CVE-2026-7465

RCE

Title: Spectra Gutenberg Blocks Plugin Remote Code Execution

Auth Bypass

Proof Of Concept

PoC Available for CVE-2026-7465

CWE Category CWE-269

Published Date May 30, 2026

Modified Date Jun 01, 2026

Exploit Status Available

Score 8.8 CVSS v3.1

Exploit Probability (EPSS)

0.83%

Vulnerability Summary

CVE-2026-7465: The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.19.25. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. Exploitation requires a two-block payload embedded in post content: the first block registers a fake uagb/-prefixed block type with an attacker-specified render_callback, and the second block of the same fake type triggers invocation of that callback via call_user_func() during sequential block rendering in the same page request.

Impacted Vendors

Analysis in Progress...

Reference Links

https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L330 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L335 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-init-blocks.php#L330 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-init-blocks.php#L335 https://wordpress.org/plugins/ultimate-addons-for-gutenberg/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/60013752-d7cf-46e8-84e1-1b614f737b46?source=cve

CVSS v3.1

Source Entity [email protected]

Severity HIGH

8.8

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-7465 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/endangcamon/CVE-2026-7465-POC

View Code

June 01, 2026 MODIFIED

Vulnerability data updated via NVD.

May 30, 2026 MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Stack

No specific products linked.