Security Advisory · Published 2026-05-30
Spectra (Ultimate Addons for Gutenberg) CVE-2026-7465: Contributor-level RCE in 10 minutes
CVE-2026-7465 landed May 30, 2026 with CVSS 8.8. The
plugin marketed as Spectra — Website Builder for Gutenberg (slug
ultimate-addons-for-gutenberg, versions ≤ 2.19.25) lets any
Contributor-or-higher WordPress user execute arbitrary PHP on the server
by embedding a two-block payload in post content. No separate exploit upload step — the
malicious block renders during a normal page view. If you allow guest authors, compromised
freelancer accounts, or stale Contributor users, treat this as site-wide code execution.
TL;DR
- CVE: CVE-2026-7465 · CVSS 8.8 · CWE-269 improper privilege management
- Auth: Contributor+ (not fully unauthenticated, but often enough on multi-author blogs)
- Impact: remote code execution via crafted Gutenberg block registration
- Fix: update Spectra / Ultimate Addons for Gutenberg past 2.19.25 immediately
What to check
The plugin registers custom uagb/* block types. The vulnerable code path lets
a post author influence callback handling during block rendering. Treat Contributor-level
access as sensitive on affected versions, especially on multi-author sites.
Wordfence published Trac links to
class-uagb-init-blocks.php (tags 2.19.25 and trunk). Use those references
to confirm the affected code path and fixed version; do not test exploit content on
a production site.
Step 1 — Find the plugin and version
In wp-admin search plugins for Spectra or Ultimate Addons for Gutenberg.
Slug is usually ultimate-addons-for-gutenberg.
wp plugin list | grep -i ultimate-addons-for-gutenberg Version ≤ 2.19.25 → vulnerable. Version above that with a May 30+ release date → likely patched, but still audit users and posts from the exposure window.
Step 2 — Audit Contributor accounts
Users → All Users → filter Contributor. Remove accounts you do not recognize. Contributors can publish posts (pending review on many sites) but should not exist as dormant freelancers from 2019 with weak passwords.
wp user list --role=contributor --fields=ID,user_login,user_email,user_registered Force password resets for any Contributor you keep. Enable MFA for every Administrator.
Step 3 — Hunt suspicious block content
Attackers stash payloads inside post_content as Gutenberg block JSON. From SSH:
wp db query "SELECT ID, post_title, post_status FROM wp_posts WHERE post_content LIKE '%render_callback%' AND post_type IN ('post','page') LIMIT 50;"
Also search for unusual uagb/ block names you did not configure in the editor:
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%uagb/%' AND post_status='publish' ORDER BY post_modified DESC LIMIT 30;"
Anything with a hand-typed render_callback pointing at
system, exec, passthru, or eval is
hostile. Trash the post, then re-scan uploads and wp-content for webshells.
Step 4 — Patch
- Backup database and
wp-content. - Update the plugin via WordPress admin or
wp plugin update ultimate-addons-for-gutenberg. - Re-save permalinks and purge cache.
- Review Site Health and security plugin scans after update.
Step 5 — Logs and IOCs
- New PHP files under
uploads/or plugin directories after a Contributor login. admin-ajax.phporwp-jsonspikes from Contributor IPs you do not know.- Outbound connections from PHP-FPM to paste sites or crypto mining pools.
Need a hand?
Quick Patch Call ($49) — we verify version, users, and patch on your install. Full recovery guide if you already see webshells. Alerts: @ping7cve.
FAQ — CVE-2026-7465
- Do attackers need to be Administrator?
- No. Contributor-level access is enough to embed the malicious block payload.
- Which plugin slug is affected?
ultimate-addons-for-gutenberg(Spectra) versions ≤ 2.19.25 per advisory data.- What should I search in the database?
- Post content containing
render_callbackor suspiciousuagb/block names.