VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 32 known issues Latest disclosed Apr 03, 2026

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Vulnerabilities

Review known vulnerability records for the WordPress plugin Kadence Blocks — Page Builder Toolkit for Gutenberg Editor (`kadence-blocks`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
32
High or Critical
2
Linked CVEs
30
Last Updated
Apr 04, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Kadence Blocks — Page Builder Toolkit for Gutenberg Editor so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
32 records include a published patch path.
Severity Mix
1 critical and 1 high severity finding.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-2826
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user has the `upload_files` capability in the `process_pa...

Published
Apr 03, 2026
Patched Release
3.6.4
Affected Versions
Versions up to 3.6.3
Next Step
Update to 3.6.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-2633
Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Missing Authorization to Authenticated (Contributor+) Unauthorized Media Upload

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the `process_image_data_ajax_callback()` function which handles the `kadence_import_pro...

Published
Feb 17, 2026
Patched Release
3.6.2
Affected Versions
Versions up to 3.6.1
Next Step
Update to 3.6.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-1857
Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'endpoint' Parameter

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API h...

Published
Feb 17, 2026
Patched Release
3.6.2
Affected Versions
Versions up to 3.6.1
Next Step
Update to 3.6.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-2608
Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Contribu...

Published
Feb 11, 2026
Patched Release
3.6.0
Affected Versions
Versions up to 3.5.32
Next Step
Update to 3.6.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.5.32 - Incorrect Authorization to Authenticated (Contributor+) Post Publication

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'get_items_permission_check' function permission call...

Published
Feb 10, 2026
Patched Release
3.6.0
Affected Versions
Versions up to 3.5.32
Next Step
Update to 3.6.0 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes CVE-2025-5678
Kadence Blocks – Gutenberg Blocks for Page Builder Features <= 3.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via `redirectURL` Parameter

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘redirectURL’ parameter in all versions up to, and including, 3.5.10 due to insufficient input sanitization and output escaping. This makes...

Published
Jul 08, 2025
Patched Release
3.5.11
Affected Versions
Versions up to 3.5.10
Next Step
Update to 3.5.11 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-1291
Gutenberg Blocks by Kadence Blocks <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'icon'

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icon’ parameter in all versions up to, and including, 3.4.9 due to insufficient input sanitization and output escaping. This makes it poss...

Published
Feb 28, 2025
Patched Release
3.4.10
Affected Versions
Versions up to 3.4.9
Next Step
Update to 3.4.10 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-24753
Gutenberg Blocks by Kadence Blocks <= 3.3.1 - Missing Authorization

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Contr...

Published
Jan 24, 2025
Patched Release
3.3.2
Affected Versions
Versions up to 3.3.1
Next Step
Update to 3.3.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12304
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.4.2 - Authenticated (contributor+) Stored Cross-Site Scripting via Button Link

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via button block link in all versions up to, and including, 3.4.2 due to insufficient input sanitization and output escaping. This makes it possibl...

Published
Jan 10, 2025
Patched Release
3.4.3
Affected Versions
Versions up to 3.4.2
Next Step
Update to 3.4.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10637
Kadence Blocks <= 3.2.53 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.2.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated a...

Published
Nov 21, 2024
Patched Release
3.2.54
Affected Versions
Versions up to 3.2.53
Next Step
Update to 3.2.54 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12581
Kadence Blocks <= 3.2.53 - Authenticated (Admin+) Stored Cross-Site Scripting

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.53 due to insufficient input sanitization and output escaping. This makes it possible...

Published
Nov 21, 2024
Patched Release
3.2.54
Affected Versions
Versions up to 3.2.53
Next Step
Update to 3.2.54 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10785
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Countdown' widget in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it po...

Published
Nov 20, 2024
Patched Release
3.3.4
Affected Versions
Versions up to 3.3.3
Next Step
Update to 3.3.4 or newer if supported.
Open Full Report Open CVE Reference