CVE-2026-0950 is an information disclosure vulnerability identified in the Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress, affecting all versions up to and including 2.19.17. The root cause is the plugin's failure to invoke the WordPress function post_password_required() before rendering post excerpts within the render_excerpt() function and the uagb_get_excerpt() helper function. This omission allows unauthenticated attackers to bypass password protections on posts by simply accessing any page containing Spectra blocks such as Post Grid, Post Masonry, Post Carousel, or Post Timeline. These blocks render excerpts of posts without verifying if the post is password-protected, exposing potentially sensitive content. The vulnerability impacts confidentiality (CWE-200) but does not affect integrity or availability. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of exploitation and limited impact scope. No patches or exploits are currently publicly available, but the issue is documented and published as of February 3, 2026. Organizations using this plugin on WordPress sites should be aware that sensitive excerpts from password-protected posts may be exposed to unauthorized viewers, potentially leading to data leakage or privacy violations.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive or confidential information published on WordPress sites using the Spectra Gutenberg Blocks plugin. Many organizations use password-protected posts to restrict access to internal communications, client data, or proprietary content. Exposure of excerpts from such posts could lead to information leakage, reputational damage, and potential regulatory non-compliance under GDPR if personal data is involved. Since the vulnerability requires no authentication and no user interaction, attackers can easily automate data harvesting. The impact is primarily on confidentiality, with no direct effect on system integrity or availability. Organizations in sectors such as finance, healthcare, legal, and government that rely on WordPress for content management are particularly at risk. The medium severity score indicates moderate risk, but the widespread use of WordPress and the plugin increases the potential attack surface across Europe.

1. Monitor for official patches or updates from Brainstormforce and apply them promptly once available. 2. Until a patch is released, implement custom code or filters in the WordPress theme or child theme to enforce post_password_required() checks before rendering excerpts in Spectra blocks. 3. Review all password-protected posts and consider removing sensitive content from excerpts or disabling the display of excerpts in Spectra blocks. 4. Limit the use of Spectra blocks that render post excerpts on publicly accessible pages. 5. Conduct regular audits of WordPress plugins and their configurations to ensure compliance with security best practices. 6. Employ web application firewalls (WAFs) with rules to detect and block suspicious requests targeting these blocks. 7. Educate content editors on the risks of relying solely on password protection without verifying plugin behavior. 8. Consider alternative plugins or custom solutions that correctly enforce access controls on protected content.