{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0950", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-14T17:53:04.377Z", "datePublished": "2026-02-03T05:30:14.865Z", "dateUpdated": "2026-04-08T17:23:50.568Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:50.568Z"}, "affected": [{"vendor": "brainstormforce", "product": "Spectra Gutenberg Blocks \u2013 Website Builder for the Block Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.19.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Spectra Gutenberg Blocks \u2013 Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block."}], "title": "Spectra Gutenberg Blocks <= 2.19.17 - Unauthenticated Information Disclosure in Sensitive Data", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccaccf03-4162-4365-9f12-0363a78e91d4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1303"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1303"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1621"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1621"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L2196"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L2196"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-helper.php#L1403"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/classes/class-uagb-helper.php#L1403"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3443216%40ultimate-addons-for-gutenberg%2Ftrunk&old=3410395%40ultimate-addons-for-gutenberg%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2026-01-14T18:08:20.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-02T16:58:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:56:55.439332Z", "id": "CVE-2026-0950", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:57:03.562Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0950", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T15:56:55.439332Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:56:58.643Z"}}], "cna": {"title": "Spectra Gutenberg Blocks <= 2.19.17 - Unauthenticated Information Disclosure in Sensitive Data", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "brainstormforce", "product": "Spectra Gutenberg Blocks \u2013 Website Builder for the Block Editor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.19.17"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-14T18:08:20.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-02T16:58:28.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccaccf03-4162-4365-9f12-0363a78e91d4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1303"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1303"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1621"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1621"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L2196"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L2196"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-helper.php#L1403"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/classes/class-uagb-helper.php#L1403"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3443216%40ultimate-addons-for-gutenberg%2Ftrunk&old=3410395%40ultimate-addons-for-gutenberg%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Spectra Gutenberg Blocks \u2013 Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-03T05:30:14.865Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0950", "state": "PUBLISHED", "dateUpdated": "2026-02-03T15:57:03.562Z", "dateReserved": "2026-01-14T17:53:04.377Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-03T05:30:14.865Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Spectra Gutenberg Blocks \u2013 Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block."}, {"lang": "es", "value": "El plugin Spectra Gutenberg Blocks \u2013 Website Builder para el Editor de Bloques para WordPress es vulnerable a revelaci\u00f3n de informaci\u00f3n en todas las versiones hasta e incluyendo la 2.19.17. Esto se debe a que el plugin no verifica `post_password_required()` antes de renderizar extractos de publicaciones en la funci\u00f3n `render_excerpt()` y la funci\u00f3n auxiliar `uagb_get_excerpt()`. Esto hace posible que atacantes no autenticados lean extractos de publicaciones protegidas con contrase\u00f1a simplemente viendo cualquier p\u00e1gina que contenga un bloque Spectra Post Grid, Post Masonry, Post Carousel o Post Timeline."}], "id": "CVE-2026-0950", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-03T06:15:53.387", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1303"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1621"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L2196"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/classes/class-uagb-helper.php#L1403"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1303"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1621"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L2196"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-helper.php#L1403"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3443216%40ultimate-addons-for-gutenberg%2Ftrunk&old=3410395%40ultimate-addons-for-gutenberg%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccaccf03-4162-4365-9f12-0363a78e91d4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:54:46.146412+00:00", "value": {"mitigation_remediation": ["Upgrade Spectra Gutenberg Blocks to version\u20092.19.18 or later, which implements proper post\u2011password checks before rendering excerpts.", "If an immediate upgrade is not possible, remove or temporarily disable the Post Grid, Post Masonry, Post Carousel, and Post Timeline blocks from front\u2011end pages until a patch is applied.", "Consider bypassing password protection on sensitive posts or disabling excerpt rendering via theme customizations until the update is delivered."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated Information Disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Spectra Gutenberg Blocks \u2013 Website Builder for the Block Editor plugin from Brainstormforce, version 2.19.17 or earlier, are affected. The vulnerability exists in all releases up to and including 2.19.17 and impacts any block types that render post excerpts, such as Post Grid, Post Masonry, Post Carousel, or Post Timeline.", "description_and_impact": "The Spectra Gutenberg Blocks \u2013 Website Builder for the Block Editor plugin contains a flaw that allows unauthenticated visitors to read excerpts from password\u2011protected posts. The vulnerability is triggered by missing checks for post protection when rendering excerpts in the render_excerpt() function and the uagb_get_excerpt() helper. This results in accidental exposure of sensitive content to anyone who can view a page containing a Post Grid, Post Masonry, Post Carousel, or Post Timeline block.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact, and the EPSS score of less than 1\u202f% represents a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker only requires the ability to view a page containing the vulnerable blocks; no authentication or privileged access is needed to read the exposed excerpts. The vulnerability exploits a standard information disclosure weakness (CWE\u2011200) and poses risks to confidentiality for all protected posts displayed in affected blocks."}}}}, "created": "2026-02-04T12:14:59.196671+00:00", "updated": "2026-04-15T19:00:12.307168+00:00", "vendors": ["brainstormforce", "brainstormforce$PRODUCT$spectra", "wordpress", "wordpress$PRODUCT$wordpress"]}