CVE-2026-6703
Received Received - Intake
Unauthorized Access in Responsive Blocks Plugin Allows Site-wide Config Changes

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: Wordfence

Description
The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify global site-wide plugin configuration options, including toggling custom CSS, disabling blocks, changing layout defaults such as content width, container padding, and container gap, and altering auto-block-recovery behavior.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6703
EUVD
EUVD-2026-24069
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
responsive_blocks page_builder_for_blocks_and_patterns to 2.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should update the Responsive Blocks – Page Builder for Blocks & Patterns plugin to a version later than 2.2.1 where the issue is fixed.

Additionally, restrict contributor-level access and above to trusted users only, as the vulnerability allows authenticated users with contributor-level access to modify global plugin settings.

Executive Summary

The vulnerability exists in the Responsive Blocks – Page Builder for Blocks & Patterns WordPress plugin, versions up to and including 2.2.1. It occurs because the plugin does not properly verify whether a user is authorized to perform certain actions.

As a result, authenticated users with contributor-level access or higher can exploit this flaw to modify global site-wide plugin configuration options without proper permission.

  • Modify global plugin settings such as toggling custom CSS
  • Disable blocks
  • Change layout defaults like content width, container padding, and container gap
  • Alter auto-block-recovery behavior
Impact Analysis

This vulnerability allows authenticated users with contributor-level access or above to make unauthorized changes to the global configuration of the plugin.

Such unauthorized modifications can affect the appearance and behavior of the website by changing CSS, disabling blocks, or altering layout settings.

While the vulnerability does not directly impact confidentiality or availability, it can lead to integrity issues by allowing unauthorized changes to site-wide settings.

Compliance Impact

The vulnerability allows authenticated users with contributor-level access and above to modify global site-wide plugin configuration options without proper authorization.

While the CVE description does not explicitly mention impacts on compliance with standards such as GDPR or HIPAA, unauthorized modification of site configurations could potentially lead to security policy violations or misconfigurations that affect data protection controls.

However, there is no direct information provided about how this vulnerability specifically impacts compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6703. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart