Skip to content
Threat Feed
high advisory

CVE-2026-7465: Spectra Gutenberg Blocks WordPress Plugin Remote Code Execution

The Spectra Gutenberg Blocks WordPress plugin is vulnerable to remote code execution, allowing authenticated attackers with Contributor access or higher to execute arbitrary code by crafting a malicious two-block payload within post content.

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress, in versions up to and including 2.19.25, contains a remote code execution vulnerability (CVE-2026-7465). This vulnerability allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server. The attack involves embedding a specific two-block payload within WordPress post content. The vulnerability stems from insecure handling of block rendering callbacks, which can be manipulated by an attacker to achieve code execution. This is a significant risk for WordPress sites using the Spectra Gutenberg Blocks plugin, potentially leading to full server compromise.

Attack Chain

  1. An attacker authenticates to a WordPress site with at least Contributor-level privileges.
  2. The attacker creates a new post or edits an existing one.
  3. The attacker crafts a malicious payload consisting of two specially designed blocks.
  4. The first block registers a fake block type with a name prefixed with uagb/. This block definition includes a render_callback function specified by the attacker.
  5. The second block within the same post utilizes the same fake block type defined in the previous step.
  6. When the post is rendered, WordPress iterates through the blocks sequentially.
  7. Upon encountering the second malicious block, WordPress’s block rendering mechanism calls the attacker-defined render_callback function via call_user_func().
  8. The attacker-controlled render_callback executes arbitrary PHP code on the server, leading to remote code execution.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the affected WordPress server. This could lead to complete compromise of the web server, including the ability to read sensitive data, modify website content, install backdoors, or use the server as a staging ground for further attacks. The vulnerability affects all WordPress sites using the Spectra Gutenberg Blocks plugin versions up to and including 2.19.25.

Recommendation

  • Apply the latest patch or upgrade the Spectra Gutenberg Blocks plugin to a version greater than 2.19.25 to remediate CVE-2026-7465.
  • Deploy the Sigma rule “Detect CVE-2026-7465 Exploitation Attempt via Suspicious uagb Block Registration” to identify attempts to register malicious blocks with uagb/ prefixes.
  • Monitor WordPress logs for unusual activity related to block rendering, especially involving the call_user_func() function.

Detection coverage 2

Detect CVE-2026-7465 Exploitation Attempt via Suspicious uagb Block Registration

high

Detects CVE-2026-7465 exploitation attempts by identifying HTTP requests that register block types with the `uagb/` prefix, which may indicate an attacker attempting to define a malicious render callback.

sigma tactics: execution, initial_access techniques: T1189 sources: webserver

Detect CVE-2026-7465 Exploitation Attempt via call_user_func in WordPress Logs

high

Detects CVE-2026-7465 exploitation attempts by identifying the execution of `call_user_func` within WordPress logs, which may be triggered by a malicious block render callback.

sigma tactics: execution techniques: T1547.004 sources: webserver

Detection queries are available on the platform. Get full rules →