CVE-2026-0950
Unknown Unknown - Not Provided

Information Disclosure in Spectra Gutenberg Blocks Plugin for WordPress

Vulnerability report for CVE-2026-0950, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Wordfence

Description

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-07-06
AI Q&A
2026-02-03
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ultimate_addons_for_gutenberg ultimate_addons_for_gutenberg to 2.19.17 (inc)
ultimate_addons_for_gutenberg ultimate_addons_for_gutenberg 2.19.18

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to access excerpts of password-protected posts, leading to unauthorized information disclosure. This exposure of protected content could potentially violate data privacy and protection regulations such as GDPR or HIPAA, which require safeguarding sensitive or personal data from unauthorized access. Therefore, the vulnerability undermines compliance with these standards by failing to adequately protect confidential information. [4]

Executive Summary

The vulnerability in the Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress allows unauthenticated attackers to read excerpts of password-protected posts. This happens because the plugin fails to check if a post is password-protected (using the `post_password_required()` function) before rendering post excerpts in certain functions (`render_excerpt()` and `uagb_get_excerpt()`). As a result, anyone can view excerpts of protected posts simply by visiting any page containing specific Spectra blocks like Post Grid, Post Masonry, Post Carousel, or Post Timeline.

Impact Analysis

This vulnerability can lead to unauthorized information disclosure. Specifically, sensitive content from password-protected posts can be partially exposed through their excerpts without requiring authentication. This could compromise privacy or confidentiality of protected content, potentially leaking information that was intended to be restricted to authorized users only.

Detection Guidance

This vulnerability can be detected by checking if your WordPress site is running the Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin version 2.19.17 or earlier. Specifically, you can look for pages containing Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline blocks and test if excerpts of password-protected posts are visible without authentication. There are no explicit commands provided in the resources to detect this vulnerability on a network or system. However, a practical approach is to attempt accessing pages with these blocks and verify if excerpts of password-protected posts are exposed. Additionally, checking the installed plugin version via WordPress CLI can help: `wp plugin get ultimate-addons-for-gutenberg --field=version` to confirm if the version is vulnerable (<= 2.19.17). [5]

Mitigation Strategies

The immediate mitigation step is to update the Ultimate Addons for Gutenberg plugin to version 2.19.18 or later, where the vulnerability has been fixed by adding proper checks for password-protected posts before rendering excerpts. This update includes security and access control improvements that prevent unauthenticated users from viewing excerpts of password-protected posts. If updating immediately is not possible, consider disabling or removing blocks that display post excerpts (Post Grid, Post Masonry, Post Carousel, Post Timeline) until the update can be applied. Additionally, review and restrict REST API access to sensitive custom post types as implemented in version 2.19.18. [4]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0950. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart