CVE-2026-13756
Received Received - Intake

Privilege Escalation in WP Grid Builder WordPress Plugin

Vulnerability report for CVE-2026-13756, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. This is due to missing authorization and meta key validation in the `update()` handler for the `/wp-json/wpgb/v2/metadata` REST endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator by updating their own `wp_capabilities` user meta with a crafted nested array payload.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wp_grid_builder wp_grid_builder to 2.3.3 (inc)
wp_grid_builder wp_grid_builder 2.3.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WP Grid Builder plugin for WordPress has a vulnerability in versions up to and including 2.3.3 that allows privilege escalation. This occurs because the plugin's update() handler for the /wp-json/wpgb/v2/metadata REST endpoint lacks proper authorization and meta key validation. As a result, authenticated users with Subscriber-level access or higher can exploit this flaw by sending a crafted nested array payload to update their own wp_capabilities user meta, effectively elevating their privileges to Administrator.

Impact Analysis

This vulnerability can have a severe impact because it allows an attacker with low-level access (Subscriber or above) to escalate their privileges to Administrator. This means the attacker can gain full control over the WordPress site, including the ability to modify content, install malicious plugins or themes, access sensitive data, and potentially compromise the entire website.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious updates to user metadata, specifically changes to the wp_capabilities meta key via the /wp-json/wpgb/v2/metadata REST endpoint.

To detect exploitation attempts, you can inspect web server logs for POST or PUT requests to the /wp-json/wpgb/v2/metadata endpoint coming from authenticated users with Subscriber-level access or above.

Example commands to check for suspicious requests in Apache or Nginx logs might include:

  • grep "/wp-json/wpgb/v2/metadata" /var/log/apache2/access.log | grep POST
  • grep "/wp-json/wpgb/v2/metadata" /var/log/nginx/access.log | grep POST

Additionally, you can audit the WordPress database usermeta table for unexpected changes to the wp_capabilities meta key, especially nested array payloads that elevate privileges.

Mitigation Strategies

The immediate mitigation step is to update the WP Grid Builder plugin to version 2.3.4 or later, where this vulnerability has been patched.

Until the update can be applied, restrict access to the /wp-json/wpgb/v2/metadata REST endpoint to trusted users only, or disable the endpoint if possible.

Additionally, review user roles and permissions to ensure that Subscriber-level users do not have unnecessary access, and monitor for suspicious activity related to user meta updates.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13756. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart