CVE-2026-1560
Published: 11 February 2026
Summary
CVE-2026-1560 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-1560 is a Remote Code Execution vulnerability (CWE-94) in the Custom Block Builder – Lazy Blocks plugin for WordPress, affecting all versions up to and including 4.2.0. The issue stems from multiple functions in the 'LazyBlocks_Blocks' class, enabling code injection that was publicly disclosed on 2026-02-11. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation allows them to execute arbitrary code on the server, which could result in full compromise of the WordPress installation.
Wordfence's threat intelligence advisory provides further details on the vulnerability (https://www.wordfence.com/threat-intel/vulnerabilities/id/b1853c88-277b-4955-b042-aeed1cffb49b?source=cve). Mitigation is addressed in plugin changeset 3454012 (https://plugins.trac.wordpress.org/changeset/3454012/), with vulnerable code locations identified in class-blocks.php at lines 1637 and 766 (https://plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-blocks.php#L1637, https://plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-blocks.php#L766) and class-rest.php at line 88 (https://plugins.trac.wordpress.org/browser/lazy-blocks/trunk/classes/class-rest.php#L88). Security practitioners should update the plugin immediately and review access controls for Contributor roles.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5960
Vulnerability details
The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level…
more
access and above, to execute code on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-1560 is a remote code execution vulnerability in a public-facing WordPress plugin exploitable by authenticated low-privilege users, directly enabling T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the RCE vulnerability by requiring timely remediation through updating the Lazy Blocks plugin to the patched version in changeset 3454012.
Enforces least privilege to deny Contributor-level access or higher to untrusted users, blocking the prerequisite authentication for exploitation.
Limits system functionality by disabling or removing the unnecessary Lazy Blocks plugin, eliminating the vulnerable 'LazyBlocks_Blocks' class functions.