PatchSiren cyber security CVE debrief
CVE-2026-7465 brainstormforce CVE debrief
A remote code execution vulnerability exists in the Spectra Gutenberg Blocks – Website Builder for the Block Editor WordPress plugin (also known as Ultimate Addons for Gutenberg). The flaw affects all versions up to and including 2.19.25. An authenticated attacker with Contributor-level access or higher can execute arbitrary code on the server by embedding a crafted two-block payload in post content. The first block registers a fake uagb/-prefixed block type with an attacker-controlled render_callback, and the second block of the same fake type triggers invocation of that callback through call_user_func() during sequential block rendering within the same page request. The vulnerability was published on 2026-05-30 and last modified on 2026-06-01. The NVD status is currently Deferred. The weakness is classified as CWE-269 (Improper Privilege Management).
- Vendor
- brainstormforce
- Product
- Spectra Gutenberg Blocks – Website Builder for the Block Editor
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-30
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-05-30
- Advisory updated
- 2026-06-01
Who should care
WordPress site administrators using the Spectra Gutenberg Blocks plugin, security teams monitoring WordPress environments, and organizations with Contributor-level user access on their WordPress installations
Technical summary
The vulnerability stems from improper validation of block type registrations within the plugin's block initialization class. During sequential block rendering, the plugin invokes call_user_func() using render_callback values that can be attacker-controlled through crafted post content. A two-stage payload is required: the first block establishes a fake block type with the uagb/ prefix and specifies a malicious callback function, while the second block triggers the registered callback's execution. Because this occurs during a single page request, the attacker achieves server-side code execution without requiring additional requests after the malicious post is saved. The affected code paths in class-uagb-init-blocks.php at lines 330 and 335 handle block registration and callback invocation respectively.
Defensive priority
HIGH
Recommended defensive actions
- Update the Spectra Gutenberg Blocks plugin (Ultimate Addons for Gutenberg) to a version newer than 2.19.25 as soon as a patched release is available
- Review and restrict Contributor-level and higher user accounts to trusted personnel only
- Audit existing post content for unexpected uagb/-prefixed blocks that may indicate prior exploitation
- Implement Web Application Firewall rules to detect and block suspicious block registration patterns
- Monitor server logs for unusual call_user_func() invocations originating from the plugin's block rendering pipeline
- Consider temporarily disabling the plugin if patching is not immediately feasible and the functionality is not critical
- Apply principle of least privilege by reviewing whether users require Contributor, Author, Editor, or Administrator roles
Evidence notes
The vulnerability description and technical details are sourced from the NVD record and Wordfence security advisory. The affected code paths are identified in the plugin's class-uagb-init-blocks.php file at lines 330 and 335 in both the tagged 2.19.25 release and trunk versions. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Official resources
2026-05-30T10:16:23.860Z