How is CVE-2026-7465 exploited?

Network reachability (required): The attacker must reach the WordPress site over the network to submit post content through the editor or REST API. Authentication (required): A Contributor-level WordPress account (or higher) is required to author the malicious post containing the two-block payload. Victim interaction (not-required): No victim action is needed; the render_callback fires during normal block rendering in the same request. Attack complexity (info): Attack complexity is low: the two-block payload is deterministic and triggers reliably during sequential block rendering.

What is the impact of CVE-2026-7465?

Executes arbitrary PHP under the web server account, which typically means full control of the WordPress application. Reads stored secrets, database credentials from wp-config.php, session tokens, and any customer data the site holds. Modifies posts, user roles, plugin code, and persisted database rows, enabling persistent backdoors and privilege escalation to administrator. Can disrupt or take the site offline by deleting files, exhausting resources, or pivoting to other services reachable from the web host.

Back to search

HIGHCVE-2026-7465Published 2026-05-30Modified 2026-05-30CNA Wordfence

CVE-2026-7465: Spectra Gutenberg Blocks <= 2.19.25 - Authenticated (Contributor+) Remote Code Execution via Arbitrary PHP Function Call via Block Attributes

Q: What is CVE-2026-7465?

This is an authenticated remote code execution flaw in the Spectra Gutenberg Blocks WordPress plugin, affecting all versions up to and including 2.19.25. An attacker with a Contributor account or higher can reach the vulnerable rendering path over the network by submitting post content containing a crafted two-block payload: the first block registers a fake uagb-prefixed block type with an attacker-chosen render_callback, and the second invokes it through call_user_func during sequential block rendering. Successful exploitation runs arbitrary PHP on the server, giving full read, write, and service-disruption capability. No fix version has been published; HarborGuard tracks the advisory for patch availability.

Q: Is CVE-2026-7465 patched?

No upstream fix has been published yet. HarborGuard re-checks the Wordfence advisory on each ingest cycle and a patched-image rebuild becomes available the moment brainstormforce ships a fixed Spectra release; auto-remediation customers then get the rebuild, a regression run, and a PR opened against affected workloads.

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.19.25. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. Exploitation requires a two-block payload embedded in post content: the first block registers a fake uagb/-prefixed block type with an attacker-specified render_callback, and the second block of the same fake type triggers invocation of that callback via call_user_func() during sequential block rendering in the same page request.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authenticated remote code execution flaw in the Spectra Gutenberg Blocks WordPress plugin, affecting all versions up to and including 2.19.25. An attacker with a Contributor account or higher can reach the vulnerable rendering path over the network by submitting post content containing a crafted two-block payload: the first block registers a fake uagb-prefixed block type with an attacker-chosen render_callback, and the second invokes it through call_user_func during sequential block rendering. Successful exploitation runs arbitrary PHP on the server, giving full read, write, and service-disruption capability. No fix version has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against WordPress plugin inventories in customer registries and CI pipelines, including custom-built images that bundle Spectra Gutenberg Blocks.

Available

Triage

Triage scoring is available using the published CVSS 8.8 (High) base score, reweighted by each customer organization's compliance policy (for example, internet-facing WordPress workloads or multi-tenant authoring environments raise priority), and routed to the appropriate inbox inside the customer org.

Available

Patch

No upstream fix has been published yet. HarborGuard re-checks the Wordfence advisory on each ingest cycle and a patched-image rebuild becomes available the moment brainstormforce ships a fixed Spectra release; auto-remediation customers then get the rebuild, a regression run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress site over the network to submit post content through the editor or REST API.
AuthenticationRequired
A Contributor-level WordPress account (or higher) is required to author the malicious post containing the two-block payload.
Victim interactionNot required
No victim action is needed; the render_callback fires during normal block rendering in the same request.
Attack complexityDetail
Attack complexity is low: the two-block payload is deterministic and triggers reliably during sequential block rendering.

Blast Radius

Executes arbitrary PHP under the web server account, which typically means full control of the WordPress application.
Reads stored secrets, database credentials from wp-config.php, session tokens, and any customer data the site holds.
Modifies posts, user roles, plugin code, and persisted database rows, enabling persistent backdoors and privilege escalation to administrator.
Can disrupt or take the site offline by deleting files, exhausting resources, or pivoting to other services reachable from the web host.

How HarborGuard Handles This

Available on HarborGuard: continuous tracking of the Wordfence advisory for Spectra Gutenberg Blocks, with the patched-image rebuild becoming available automatically the moment brainstormforce publishes a fixed release. Until then, the platform surfaces compensating-control guidance for affected environments, including restricting Contributor and Author role assignments, gating post publication behind editorial review, applying a WAF rule that blocks uagb-prefixed block payloads referencing render_callback, and isolating the WordPress workload with network policy and egress filtering so a successful RCE cannot pivot. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads are queued and will fire as soon as the upstream fix lands.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

brainstormforce / Spectra Gutenberg Blocks – Website Builder for the Block Editor
≤ 2.19.25

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References