RCE in Spectra Gutenberg Blocks WordPress Plugin
CVE-2026-7465 is a remote code execution vulnerability in the Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress affecting all versions up to and including 2.19.25. The flaw can be exploited by authenticated users with Contributor-level privileges or higher by embedding a crafted two-block payload in post content. Per the provided details, the first block registers a fake block type with a uagb/ prefix and an attacker-controlled render_callback, and a second block of that same fake type causes the callback to be invoked via call_user_func() during sequential block rendering within the same page request. This results in attacker-controlled server-side code execution in the context of the vulnerable WordPress application.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a README and one Python exploit script. The README documents CVE-2026-7465 in Spectra Gutenberg Blocks <= 2.19.25, describing an authenticated Contributor+ arbitrary PHP function call / RCE path caused by unsafe registration of attacker-controlled block attributes into WP_Block_Type_Registry. The exploitation model is a two-block Gutenberg payload: the first malicious uagb/ block registers a fake block type with a chosen render_callback, and the second block with the same name triggers WordPress to call that callback with attacker-controlled arguments. The documented example uses wp_insert_user to create an administrator account. The main code file, poc.py, is a black-box HTTP exploit written in Python using requests. It performs reconnaissance against the target WordPress site, checks plugin presence via the Spectra plugin PHP path, checks REST API availability at /wp-json/, verifies wp-login.php accessibility, authenticates as a Contributor, creates a draft exploit post through HTTP interactions, triggers rendering via preview/frontend access, verifies success by attempting login as the newly created admin, and leaves artifacts for manual verification. The script is operational rather than a mere detector because it automates exploitation and post-exploitation verification. The attack vector is web-based and requires valid low-privileged WordPress credentials plus a vulnerable Spectra installation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.