CVE-2026-3480

Name of the Vulnerable Software and Affected Versions WP Blockade plugin for WordPress versions up to and including 0.9.14

Description The WP Blockade plugin for WordPress is susceptible to a missing authorization issue. The plugin registers an admin post action hook 'wp-blockade-shortcode-render' which maps to the render shortcode preview() function. This function does not perform capability checks or nonce verification, allowing authenticated users to execute arbitrary WordPress shortcodes. The function retrieves a user-supplied shortcode parameter from the $ GET request, processes it with stripslashes(), and directly executes it using do shortcode(). This allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes, potentially leading to information disclosure, privilege escalation, or other impacts depending on the registered shortcodes on the site.

Recommendations Versions up to and including 0.9.14: Update to a version beyond 0.9.14.