{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3480", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-03T14:43:17.464Z", "datePublished": "2026-04-08T06:43:38.560Z", "dateUpdated": "2026-04-08T16:48:07.477Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:07.477Z"}, "affected": [{"vendor": "burlingtonbytes", "product": "WP Blockade \u2013 Visual Page Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.9.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files)."}], "title": "WP Blockade <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f159aac-092b-4655-9d97-a496ac01738c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L393"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L393"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L361"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L361"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L112"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L112"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2026-04-07T17:39:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:20:04.875724Z", "id": "CVE-2026-3480", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:20:13.419Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3480", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:20:04.875724Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:20:09.623Z"}}], "cna": {"title": "WP Blockade <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "burlingtonbytes", "product": "WP Blockade \u2013 Visual Page Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.9.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-07T17:39:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f159aac-092b-4655-9d97-a496ac01738c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L393"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L393"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L361"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L361"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L112"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L112"}], "descriptions": [{"lang": "en", "value": "The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T06:43:38.560Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3480", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:20:13.419Z", "dateReserved": "2026-03-03T14:43:17.464Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T06:43:38.560Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files)."}], "id": "CVE-2026-3480", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:21.243", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L112"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L361"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L393"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L112"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L361"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L393"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f159aac-092b-4655-9d97-a496ac01738c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.9.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Blockade \u2013 Visual Page Builder", "source": "cna", "vendor": "burlingtonbytes"}, "product": "wp_blockade_\u2013_visual_page_builder", "vendor": "burlingtonbytes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T08:53:06.446549+00:00", "value": {"mitigation_remediation": ["Update WP Blockade to a version newer than\u202f0.9.14, ensuring that the shortcode preview handler performs proper capability checks and nonce validation. ", "If an update is not immediately available, temporarily disable or remove the WP Blockade plugin to eliminate the exploit path. ", "Verify that the wp\u2011blockade\u2011shortcode\u2011render admin\u2011post action is no longer registered by inspecting the site's admin\u2011post hooks or by testing the endpoint."], "summary": {"action": "Apply Patch", "impact": "Arbitrary shortcode execution via authenticated user"}, "threat_synthesis": {"affected_systems": "All releases of the WP Blockade \u2013 Visual Page Builder plugin by Burlingtonbytes up to and including version\u202f0.9.14 are affected. WordPress sites hosting any of these versions are vulnerable.", "description_and_impact": "WP Blockade for WordPress contains a missing authorization flaw that allows any authenticated user to supply a shortcode through the 'shortcode' GET parameter. The plugin does not perform capability checks or nonce validation before passing the value to WordPress\u2019s do_shortcode function, enabling arbitrary shortcode execution. Depending on which shortcodes are registered by other plugins on the site, an attacker could extract sensitive data, modify site content, or even elevate privileges.", "risk_and_exploitability": "The CVSS score of\u202f6.5 indicates moderate severity, and the absence of an EPSS rating means the current likelihood of exploitation is unknown. The flaw is not listed in the CISA KEV catalog. An attacker must already be authenticated with a Subscriber role or higher; once logged in, they can trigger the exploit by requesting wp\u2011admin/admin\u2011post.php?action=wp\u2011blockade\u2011shortcode\u2011render with a crafted shortcode value. Because many sites install plugins that expose sensitive data through shortcodes, the potential impact ranges from information disclosure to privilege escalation."}}}}, "created": "2026-04-08T19:31:13.276352+00:00", "updated": "2026-04-08T19:43:46.667446+00:00", "vendors": ["burlingtonbytes", "burlingtonbytes$PRODUCT$wp_blockade_\u2013_visual_page_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}