The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'get_items_permission_check' function permission callback of the 'process_pattern' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and immediately publish posts of any type (including pages), bypassing the standard WordPress review workflow where contributors must submit posts for administrator approval.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Stellarwp
Stellarwp kadence Blocks — Page Builder Toolkit For Gutenberg Editor Wordpress Wordpress wordpress |
|
| Vendors & Products |
Stellarwp
Stellarwp kadence Blocks — Page Builder Toolkit For Gutenberg Editor Wordpress Wordpress wordpress |
Fri, 10 Jul 2026 05:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'get_items_permission_check' function permission callback of the 'process_pattern' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and immediately publish posts of any type (including pages), bypassing the standard WordPress review workflow where contributors must submit posts for administrator approval. | |
| Title | Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.5.32 - Incorrect Authorization to Authenticated (Contributor+) Post Publication | |
| Weaknesses | CWE-863 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-10T04:31:22.171Z
Reserved: 2026-07-09T15:49:52.117Z
Link: CVE-2026-15286
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T06:30:16Z