Platform
wordpress
Component
lazy-blocks
Opgelost in
4.2.1
CVE-2026-1560 is a Remote Code Execution (RCE) vulnerability affecting the Custom Block Builder – Lazy Blocks plugin for WordPress. This vulnerability allows authenticated attackers, possessing Contributor-level access or higher, to execute arbitrary code on the server. The vulnerability impacts versions 0.0.0 through 4.2.0, and a patch is available in version 4.2.1.
The impact of this vulnerability is significant due to the potential for remote code execution. An attacker with Contributor access can leverage this flaw to gain complete control over the WordPress server, potentially leading to data breaches, website defacement, malware installation, and further compromise of the network. The attacker could exfiltrate sensitive data, modify website content, or use the server as a launchpad for attacks against other systems. This vulnerability shares similarities with other WordPress plugin vulnerabilities where insufficient input validation allows for code injection.
CVE-2026-1560 was publicly disclosed on 2026-02-11. The vulnerability’s ease of exploitation, combined with the prevalence of WordPress, suggests a moderate exploitation probability. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's nature makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Custom Block Builder – Lazy Blocks plugin, particularly those with multiple contributors or users with elevated privileges, are at significant risk. Shared hosting environments where plugin updates are not consistently managed are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'LazyBlocks_Blocks' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'Custom Block Builder – Lazy Blocks'• wordpress / composer / npm:
wp plugin list --status=active | grep 'Custom Block Builder – Lazy Blocks' && wp plugin version 'Custom Block Builder – Lazy Blocks'disclosure
Exploit Status
EPSS
0.13% (32% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to immediately upgrade the Custom Block Builder – Lazy Blocks plugin to version 4.2.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These include implementing strict Web Application Firewall (WAF) rules to filter potentially malicious requests targeting the vulnerable functions within the 'LazyBlocks_Blocks' class. Thorough code review of the plugin's codebase can also help identify and block suspicious patterns. After upgrading, confirm the fix by attempting to trigger the vulnerable code paths and verifying that they are now properly sanitized.
Update naar versie 4.2.1, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1560 is a Remote Code Execution vulnerability affecting the Custom Block Builder – Lazy Blocks WordPress plugin, allowing authenticated attackers to execute code on the server.
You are affected if you are using Custom Block Builder – Lazy Blocks versions 0.0.0 through 4.2.0. Upgrade immediately.
Upgrade the plugin to version 4.2.1 or later. As a temporary measure, implement WAF rules and code review.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts will occur.
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.