CVE-2026-6703
Unauthorized Access in Responsive Blocks Plugin Allows Site-wide Config Changes
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| responsive_blocks | page_builder_for_blocks_and_patterns | to 2.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Responsive Blocks β Page Builder for Blocks & Patterns WordPress plugin, versions up to and including 2.2.1. It occurs because the plugin does not properly verify whether a user is authorized to perform certain actions.
As a result, authenticated users with contributor-level access or higher can exploit this flaw to modify global site-wide plugin configuration options without proper permission.
- Modify global plugin settings such as toggling custom CSS
- Disable blocks
- Change layout defaults like content width, container padding, and container gap
- Alter auto-block-recovery behavior
How can this vulnerability impact me? :
This vulnerability allows authenticated users with contributor-level access or above to make unauthorized changes to the global configuration of the plugin.
Such unauthorized modifications can affect the appearance and behavior of the website by changing CSS, disabling blocks, or altering layout settings.
While the vulnerability does not directly impact confidentiality or availability, it can lead to integrity issues by allowing unauthorized changes to site-wide settings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with contributor-level access and above to modify global site-wide plugin configuration options without proper authorization.
While the CVE description does not explicitly mention impacts on compliance with standards such as GDPR or HIPAA, unauthorized modification of site configurations could potentially lead to security policy violations or misconfigurations that affect data protection controls.
However, there is no direct information provided about how this vulnerability specifically impacts compliance with these regulations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Responsive Blocks β Page Builder for Blocks & Patterns plugin to a version later than 2.2.1 where the issue is fixed.
Additionally, restrict contributor-level access and above to trusted users only, as the vulnerability allows authenticated users with contributor-level access to modify global plugin settings.