CVE-2026-2633

Name of the Vulnerable Software and Affected Versions Gutenberg Blocks with AI by Kadence WP plugin for WordPress versions up to and including 3.6.1

Description The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is susceptible to a missing authorization issue. The process image data ajax callback() function, which processes the kadence import process image data AJAX action, lacks a complete capability check. While it verifies the edit posts capability, it fails to validate the upload files capability. This allows authenticated attackers with Contributor-level access or higher to upload arbitrary images from remote URLs to the WordPress Media Library, circumventing standard WordPress capability restrictions that prevent Contributors from uploading files. The vulnerable function is process image data ajax callback(). The vulnerable AJAX action is /kadence import process image data.

Recommendations Update the Gutenberg Blocks with AI by Kadence WP plugin to a version beyond 3.6.1.