Description
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'get_items_permission_check' function permission callback of the 'process_pattern' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and immediately publish posts of any type (including pages), bypassing the standard WordPress review workflow where contributors must submit posts for administrator approval.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 10 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Stellarwp
Stellarwp kadence Blocks — Page Builder Toolkit For Gutenberg Editor Wordpress Wordpress wordpress |
|
| Vendors & Products |
Stellarwp
Stellarwp kadence Blocks — Page Builder Toolkit For Gutenberg Editor Wordpress Wordpress wordpress |
Fri, 10 Jul 2026 05:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'get_items_permission_check' function permission callback of the 'process_pattern' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and immediately publish posts of any type (including pages), bypassing the standard WordPress review workflow where contributors must submit posts for administrator approval. | |
| Title | Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.5.32 - Incorrect Authorization to Authenticated (Contributor+) Post Publication | |
| Weaknesses | CWE-863 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-10T04:31:22.171Z
Reserved: 2026-07-09T15:49:52.117Z
Link: CVE-2026-15286
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T06:30:16Z
Weaknesses