Security Advisory · Published 2026-05-30

Spectra (Ultimate Addons for Gutenberg) CVE-2026-7465: Contributor-level RCE in 10 minutes

CVE-2026-7465 landed May 30, 2026 with CVSS 8.8. The plugin marketed as Spectra — Website Builder for Gutenberg (slug ultimate-addons-for-gutenberg, versions ≤ 2.19.25) lets any Contributor-or-higher WordPress user execute arbitrary PHP on the server by embedding a two-block payload in post content. No separate exploit upload step — the malicious block renders during a normal page view. If you allow guest authors, compromised freelancer accounts, or stale Contributor users, treat this as site-wide code execution.

TL;DR

  • CVE: CVE-2026-7465 · CVSS 8.8 · CWE-269 improper privilege management
  • Auth: Contributor+ (not fully unauthenticated, but often enough on multi-author blogs)
  • Impact: remote code execution via crafted Gutenberg block registration
  • Fix: update Spectra / Ultimate Addons for Gutenberg past 2.19.25 immediately

What to check

The plugin registers custom uagb/* block types. The vulnerable code path lets a post author influence callback handling during block rendering. Treat Contributor-level access as sensitive on affected versions, especially on multi-author sites.

Wordfence published Trac links to class-uagb-init-blocks.php (tags 2.19.25 and trunk). Use those references to confirm the affected code path and fixed version; do not test exploit content on a production site.

Step 1 — Find the plugin and version

In wp-admin search plugins for Spectra or Ultimate Addons for Gutenberg. Slug is usually ultimate-addons-for-gutenberg.

wp plugin list | grep -i ultimate-addons-for-gutenberg

Version ≤ 2.19.25 → vulnerable. Version above that with a May 30+ release date → likely patched, but still audit users and posts from the exposure window.

Step 2 — Audit Contributor accounts

Users → All Users → filter Contributor. Remove accounts you do not recognize. Contributors can publish posts (pending review on many sites) but should not exist as dormant freelancers from 2019 with weak passwords.

wp user list --role=contributor --fields=ID,user_login,user_email,user_registered

Force password resets for any Contributor you keep. Enable MFA for every Administrator.

Step 3 — Hunt suspicious block content

Attackers stash payloads inside post_content as Gutenberg block JSON. From SSH:

wp db query "SELECT ID, post_title, post_status FROM wp_posts WHERE post_content LIKE '%render_callback%' AND post_type IN ('post','page') LIMIT 50;"

Also search for unusual uagb/ block names you did not configure in the editor:

wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%uagb/%' AND post_status='publish' ORDER BY post_modified DESC LIMIT 30;"

Anything with a hand-typed render_callback pointing at system, exec, passthru, or eval is hostile. Trash the post, then re-scan uploads and wp-content for webshells.

Step 4 — Patch

  1. Backup database and wp-content.
  2. Update the plugin via WordPress admin or wp plugin update ultimate-addons-for-gutenberg.
  3. Re-save permalinks and purge cache.
  4. Review Site Health and security plugin scans after update.

Step 5 — Logs and IOCs

  • New PHP files under uploads/ or plugin directories after a Contributor login.
  • admin-ajax.php or wp-json spikes from Contributor IPs you do not know.
  • Outbound connections from PHP-FPM to paste sites or crypto mining pools.

Need a hand?

Quick Patch Call ($49) — we verify version, users, and patch on your install. Full recovery guide if you already see webshells. Alerts: @ping7cve.

FAQ — CVE-2026-7465

Do attackers need to be Administrator?
No. Contributor-level access is enough to embed the malicious block payload.
Which plugin slug is affected?
ultimate-addons-for-gutenberg (Spectra) versions ≤ 2.19.25 per advisory data.
What should I search in the database?
Post content containing render_callback or suspicious uagb/ block names.

References