CVE-2026-1857

Name of the Vulnerable Software and Affected Versions Gutenberg Blocks with AI by Kadence WP plugin for WordPress versions up to and including 3.6.1

Description The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is susceptible to Server-Side Request Forgery due to inadequate validation of the endpoint parameter within the get items() function of the GetResponse REST API handler. The permission check for the endpoint parameter only requires the edit posts capability, allowing attackers with Contributor-level access or higher to make server-side requests to arbitrary endpoints on the configured GetResponse API server. This can lead to the retrieval of sensitive data, including contacts, campaigns, and mailing lists, using the site’s stored API credentials. The stored API key is also exposed in the request headers.

Recommendations Update the Gutenberg Blocks with AI by Kadence WP plugin for WordPress to a version later than 3.6.1.