CVE-2026-11357 stellarwp CVE debrief

Who should care

WordPress site administrators and users with contributor-level access who use the Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin should be aware of this vulnerability. Sites with active Kadence licenses are particularly at risk.

Technical summary

The Kadence Blocks plugin for WordPress exposes sensitive information through the editor_assets_variables. Specifically, the license key, license owner email, API key, API email, and license domain of the connected Kadence account are accessible via the browser console by inspecting window.kadence_blocks_params.proData. This vulnerability requires an administrator to have connected a valid Kadence license. Attackers with contributor-level access can exploit this without needing to manipulate server-side requests.

Defensive priority

Medium

Recommended defensive actions

• Update the Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin to a version beyond 3.7.5.
• Restrict access to the block editor for users with contributor-level access.
• Monitor for any suspicious activity in the browser console related to the Kadence Blocks plugin.
• Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts.
• Regularly review and rotate Kadence account credentials and API keys.
• Ensure that only necessary personnel have access to sensitive information like license keys and API credentials.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Wordfence security research. The vulnerability was published on June 18, 2026, and last modified on the same day. Multiple references to the Kadence Blocks plugin codebase are available, confirming the existence of this vulnerability.

Official resources