Cyber Resilience

CVE-2026-1560

HighRCE

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0909 94.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1560 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-1560 is a Remote Code Execution vulnerability (CWE-94) in the Custom Block Builder – Lazy Blocks plugin for WordPress, affecting all versions up to and including 4.2.0. The issue stems from multiple functions in the 'LazyBlocks_Blocks' class, enabling code injection that was publicly disclosed on 2026-02-11. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation allows them to execute arbitrary code on the server, which could result in full compromise of the WordPress installation.

Wordfence's threat intelligence advisory provides further details on the vulnerability (https://www.wordfence.com/threat-intel/vulnerabilities/id/b1853c88-277b-4955-b042-aeed1cffb49b?source=cve). Mitigation is addressed in plugin changeset 3454012 (https://plugins.trac.wordpress.org/changeset/3454012/), with vulnerable code locations identified in class-blocks.php at lines 1637 and 766 (https://plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-blocks.php#L1637, https://plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-blocks.php#L766) and class-rest.php at line 88 (https://plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-rest.php#L88). Security practitioners should update the plugin immediately and review access controls for Contributor roles.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level…

more

access and above, to execute code on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-1560 is a remote code execution vulnerability in a public-facing WordPress plugin exploitable by authenticated low-privilege users, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-22204Shared CWE-94

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mitigates the RCE vulnerability by requiring timely remediation through updating the Lazy Blocks plugin to the patched version in changeset 3454012.

prevent

Enforces least privilege to deny Contributor-level access or higher to untrusted users, blocking the prerequisite authentication for exploitation.

prevent

Limits system functionality by disabling or removing the unnecessary Lazy Blocks plugin, eliminating the vulnerable 'LazyBlocks_Blocks' class functions.

References