Spectra Gutenberg Blocks < 2.19.18 – Unauthenticated Information Disclosure in Sensitive Data | CVE 2026-0950 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Information Disclosure due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block.

Affects Plugins

ultimate-addons-for-gutenberg

Fixed in 2.19.18

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ccaccf03-4162-4365-9f12-0363a78e91d4

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

johska

Verified

No

WPVDB ID

c61cfc7c-ce25-49d3-8162-4d27f8142b80

Timeline

Publicly Published

2026-02-02 (about 4 months ago)

Added

2026-02-02 (about 4 months ago)

Last Updated

2026-02-02 (about 4 months ago)

Other

Published

Title

Published

2025-01-24

Title

Import WP – Export and Import CSV and XML files to WordPress < 2.14.6 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory

Published

2024-12-19

Title

Page Restriction WordPress (WP) – Protect WP Pages/Post < 1.3.7 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

Published

2025-06-05

Title

KI Live Video Conferences <= 5.5.15 - Unauthenticated Information Disclosure

Published

2023-09-25

Title

WP Job Openings < 3.4.3 - Sensitive Data Exposure via Directory Listing

Published

2024-08-16

Title

wpForo Forum < 2.3.5 - Unauthenticated Sensitive Information Exposure