WordPress Plugin Vulnerabilities

Responsive Blocks < 2.2.1 - Unauthenticated Open Email Relay via REST API 'email_to' Parameter

Description

The plugin is vulnerable to Unauthenticated Open Email Relay due to insufficient authorization checks and missing server-side validation of the recipient email address supplied via a public REST API route. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient of their choosing through the affected WordPress site's mail server, effectively turning the site into an open mail relay.

Affects Plugins

Plugin icon
responsive-block-editor-addons
Fixed in 2.2.1

References

CVE
CVE-2026-6675
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/17452a29-bcef-451a-9893-a436ac5d3b80

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Even S
Verified
No
WPVDB ID
b9cdd75e-6088-4ed4-ab8c-458f0f914dc8

Timeline

Publicly Published
2026-04-20 (about 1 month ago)
Added
2026-04-20 (about 1 month ago)
Last Updated
2026-04-20 (about 1 month ago)

Other

Published
Title
Published
2021-10-04
Title
Logo Slider and Showcase < 1.3.37 - Editor Plugin's Settings Update
Published
2025-03-19
Title
File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
Published
2026-02-17
Title
User Submitted Posts < 20260217 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter
Published
2023-11-29
Title
Download Manager < 3.2.83 - Unauthenticated Protected File Download Password Leak
Published
2024-01-29
Title
Avada < 7.11.2 - Contributor+ SSRF