Cyber Posture

CVE-2026-1560

High

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level…

more

access and above, to execute code on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
preventrecover

Directly mitigates the RCE vulnerability by requiring timely remediation through updating the Lazy Blocks plugin to the patched version in changeset 3454012.

AC-6 Least Privilege good match
prevent

Enforces least privilege to deny Contributor-level access or higher to untrusted users, blocking the prerequisite authentication for exploitation.

CM-7 Least Functionality good match
prevent

Limits system functionality by disabling or removing the unnecessary Lazy Blocks plugin, eliminating the vulnerable 'LazyBlocks_Blocks' class functions.

Security SummaryAI

CVE-2026-1560 is a Remote Code Execution vulnerability (CWE-94) in the Custom Block Builder – Lazy Blocks plugin for WordPress, affecting all versions up to and including 4.2.0. The issue stems from multiple functions in the 'LazyBlocks_Blocks' class, enabling code injection that was publicly disclosed on 2026-02-11. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation allows them to execute arbitrary code on the server, which could result in full compromise of the WordPress installation.

Wordfence's threat intelligence advisory provides further details on the vulnerability (https://www.wordfence.com/threat-intel/vulnerabilities/id/b1853c88-277b-4955-b042-aeed1cffb49b?source=cve). Mitigation is addressed in plugin changeset 3454012 (https://plugins.trac.wordpress.org/changeset/3454012/), with vulnerable code locations identified in class-blocks.php at lines 1637 and 766 (https://plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-blocks.php#L1637, https://plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-blocks.php#L766) and class-rest.php at line 88 (https://plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-rest.php#L88). Security practitioners should update the plugin immediately and review access controls for Contributor roles.

Details

CWE(s)
CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CVE-2026-1560 is a remote code execution vulnerability in a public-facing WordPress plugin exploitable by authenticated low-privilege users, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References