Spectra Gutenberg Blocks CVE-2026-7465: Authenticated Remote Code Execution via Arbitrary PHP Function Call

Vulnerability Overview Vulnerability Name: Spectra Gutenberg Blocks <= 2.19.25 - Authenticated (Contributor+) Remote Code Execution via Arbitrary PHP Function Call via Block Attributes CVE ID: CVE-2026-7465 CVSS Score: 8.8 (High) Publication Date: May 29, 2026 Last Update Date: May 30, 2026 Researcher: ka63001 Impact Scope Software Type: Plugin Software Name: Spectra Gutenberg Blocks – Website Builder for the Block Editor Affected Versions: <= 2.19.25 Fixed Version: 2.19.26 Remediation Recommendation: Upgrade to version 2.19.26 or a newer patched version. Additional Information Vulnerability Description: The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin, in versions 2.19.25 and earlier, contains a remote code execution vulnerability. Attackers can trigger arbitrary PHP function calls by constructing specific block attributes, thereby executing malicious code. References: - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org - plugins.trac.wordpress.org - wordpress.org Recent Related Vulnerabilities Spectra <= 2.19.22 - Missing Authorization - CVE ID: CVE-2026-42648 - CVSS Score: 4.3 - Researcher: Trương Hữu Phúc (truonghuphuc) - Publication Date: March 27, 2026 Spectra Gutenberg Blocks <= 2.19.17 - Unauthenticated Information Disclosure in Sensitive Data - CVE ID: CVE-2026-0950 - CVSS Score: 5.3 - Researcher: johka - Publication Date: February 2, 2026 Spectra <= 2.19.17 - Missing Authorization - CVE ID: CVE-2026-24982 - CVSS Score: 5.3 - Researcher: Bao - BlueRock - Publication Date: January 17, 2026 Spectra <= 2.19.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom CSS - CVE ID: CVE-2025-11162 - CVSS Score: 6.4 - Researcher: Muhammad Yudha - DJ - Publication Date: November 4, 2025 Spectra - WordPress Gutenberg Blocks <= 2.19.0 - Authenticated (Contributor+) Stored Cross-Site Scripting - CVE ID: CVE-2025-1784 - CVSS Score: 6.4 - Researcher: Peter Thaleikis - Publication Date: March 25, 2025 Spectra - WordPress Gutenberg Blocks <= 2.16.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Widget - CVE ID: CVE-2024-10484 - CVSS Score: 6.4 - Researcher: zer0h0st - Publication Date: December 2, 2024 Spectra - WordPress Gutenberg Blocks <= 2.15.0 - Authenticated (Contributor+) Stored Cross-Site Scripting - CVE ID: CVE-2024-7590 - CVSS Score: 6.4 - Researcher: João Pedro Soares de Alcântara - Publication Date: August 7, 2024 Spectra <= 2.13.7 - Missing Authorization via generate_ai_content - CVE ID: CVE-2024-37517 - CVSS Score: 4.3 - Researcher: Rafie Muhammad - Publication Date: July 5, 2024 Spectra - WordPress Gutenberg Blocks <= 2.13.0 - Authenticated (Author+) Stored Cross-Site Scripting - CVE ID: CVE-2024-4366 - CVSS Score: 6.4 - Researcher: Ngô Thiên An (ancom_) - Publication Date: May 23, 2024 Spectra - WordPress Gutenberg Blocks <= 2.13.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Gallery Block - CVE ID: CVE-2024-1815 - CVSS Score: 6.4 - Researcher: wesley (wcraft) - Publication Date: May 22, 2024 Summary This vulnerability allows authenticated users (Contributor privilege and above) to achieve remote code execution by constructing specific block attributes to trigger arbitrary PHP function calls. Users are advised to upgrade to version 2.19.26 or a newer patched version as soon as possible to remediate this vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Spectra Gutenberg Blocks CVE-2026-7465: Authenticated Remote Code Execution via Arbitrary PHP Function Call

More from this source