CVE-2026-1857: CWE-918 Server-Side Request Forgery (SSRF) in stellarwp Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts, campaigns, and mailing lists using the site's stored API credentials. The stored API key is also leaked in the request headers.
AI Analysis
Technical Summary
CVE-2026-1857 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Kadence Blocks — Page Builder Toolkit for Gutenberg Editor WordPress plugin developed by stellarwp. This vulnerability affects all versions up to and including 3.6.1. The root cause is insufficient validation of the 'endpoint' parameter within the 'get_items()' function of the GetResponse REST API handler. The permission check for this API endpoint is improperly configured, requiring only the 'edit_posts' capability, which corresponds to the Contributor role or higher, rather than the more restrictive 'manage_options' capability typically reserved for administrators. This misconfiguration allows any authenticated user with Contributor-level access or above to craft server-side requests to arbitrary endpoints on the configured GetResponse API server. Exploiting this flaw enables attackers to retrieve sensitive information such as contact lists, marketing campaigns, and mailing lists by leveraging the site's stored API credentials. Additionally, the stored API key is leaked in the request headers during exploitation, potentially allowing further unauthorized access to the GetResponse API. The vulnerability does not require user interaction and can be exploited remotely over the network. Although the CVSS v3.1 base score is 4.3, indicating medium severity, the impact on confidentiality is notable due to potential data leakage. No known exploits are currently reported in the wild, but the vulnerability poses a risk to sites using this plugin with multiple user roles, especially those with Contributor-level permissions. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation.
Potential Impact
For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure, particularly for those using the Kadence Blocks plugin integrated with GetResponse API for marketing or customer relationship management. Attackers with Contributor-level access can exfiltrate sensitive marketing data, including contact details and campaign information, which may contain personal data protected under GDPR. The leakage of API keys further exacerbates the risk, potentially allowing attackers to perform unauthorized operations on the GetResponse platform, leading to broader data compromise or manipulation of marketing campaigns. This can result in reputational damage, regulatory penalties, and loss of customer trust. Organizations with multiple contributors or editors on their WordPress sites are particularly vulnerable. The medium CVSS score reflects moderate ease of exploitation and limited impact on system availability or integrity but highlights confidentiality concerns. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. Attackers could leverage this SSRF to pivot into internal networks if the GetResponse API server is accessible internally, increasing the attack surface.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the Kadence Blocks — Page Builder Toolkit plugin, especially versions up to 3.6.1. Until an official patch is released, administrators should restrict Contributor-level user permissions to trusted personnel only and consider temporarily disabling or removing the plugin if feasible. Implementing strict network egress filtering to prevent the WordPress server from making arbitrary outbound requests to untrusted endpoints can reduce SSRF exploitation risk. Monitoring and logging outbound HTTP requests from the WordPress server can help detect suspicious activity. Additionally, organizations should rotate and revoke any exposed GetResponse API keys and enforce the principle of least privilege on API credentials. Applying Web Application Firewall (WAF) rules to detect and block unusual REST API calls targeting the vulnerable endpoint can provide an additional layer of defense. Finally, stay informed about vendor updates and apply patches promptly once available.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
CVE-2026-1857: CWE-918 Server-Side Request Forgery (SSRF) in stellarwp Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
Description
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts, campaigns, and mailing lists using the site's stored API credentials. The stored API key is also leaked in the request headers.
AI-Powered Analysis
Technical Analysis
CVE-2026-1857 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Kadence Blocks — Page Builder Toolkit for Gutenberg Editor WordPress plugin developed by stellarwp. This vulnerability affects all versions up to and including 3.6.1. The root cause is insufficient validation of the 'endpoint' parameter within the 'get_items()' function of the GetResponse REST API handler. The permission check for this API endpoint is improperly configured, requiring only the 'edit_posts' capability, which corresponds to the Contributor role or higher, rather than the more restrictive 'manage_options' capability typically reserved for administrators. This misconfiguration allows any authenticated user with Contributor-level access or above to craft server-side requests to arbitrary endpoints on the configured GetResponse API server. Exploiting this flaw enables attackers to retrieve sensitive information such as contact lists, marketing campaigns, and mailing lists by leveraging the site's stored API credentials. Additionally, the stored API key is leaked in the request headers during exploitation, potentially allowing further unauthorized access to the GetResponse API. The vulnerability does not require user interaction and can be exploited remotely over the network. Although the CVSS v3.1 base score is 4.3, indicating medium severity, the impact on confidentiality is notable due to potential data leakage. No known exploits are currently reported in the wild, but the vulnerability poses a risk to sites using this plugin with multiple user roles, especially those with Contributor-level permissions. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation.
Potential Impact
For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure, particularly for those using the Kadence Blocks plugin integrated with GetResponse API for marketing or customer relationship management. Attackers with Contributor-level access can exfiltrate sensitive marketing data, including contact details and campaign information, which may contain personal data protected under GDPR. The leakage of API keys further exacerbates the risk, potentially allowing attackers to perform unauthorized operations on the GetResponse platform, leading to broader data compromise or manipulation of marketing campaigns. This can result in reputational damage, regulatory penalties, and loss of customer trust. Organizations with multiple contributors or editors on their WordPress sites are particularly vulnerable. The medium CVSS score reflects moderate ease of exploitation and limited impact on system availability or integrity but highlights confidentiality concerns. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. Attackers could leverage this SSRF to pivot into internal networks if the GetResponse API server is accessible internally, increasing the attack surface.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the Kadence Blocks — Page Builder Toolkit plugin, especially versions up to 3.6.1. Until an official patch is released, administrators should restrict Contributor-level user permissions to trusted personnel only and consider temporarily disabling or removing the plugin if feasible. Implementing strict network egress filtering to prevent the WordPress server from making arbitrary outbound requests to untrusted endpoints can reduce SSRF exploitation risk. Monitoring and logging outbound HTTP requests from the WordPress server can help detect suspicious activity. Additionally, organizations should rotate and revoke any exposed GetResponse API keys and enforce the principle of least privilege on API credentials. Applying Web Application Firewall (WAF) rules to detect and block unusual REST API calls targeting the vulnerable endpoint can provide an additional layer of defense. Finally, stay informed about vendor updates and apply patches promptly once available.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-03T19:00:13.022Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6995672780d747be204d2939
Added to database: 2/18/2026, 7:15:51 AM
Last enriched: 2/18/2026, 7:31:31 AM
Last updated: 2/21/2026, 12:16:52 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-27203: CWE-15: External Control of System or Configuration Setting in YosefHayim ebay-mcp
HighCVE-2026-27168: CWE-122: Heap-based Buffer Overflow in HappySeaFox sail
HighCVE-2026-27134: CWE-287: Improper Authentication in strimzi strimzi-kafka-operator
HighCVE-2026-27190: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in denoland deno
HighCVE-2026-27026: CWE-770: Allocation of Resources Without Limits or Throttling in py-pdf pypdf
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.