What the vulnerability does
01Description
The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Explanation of Vulnerability in Simple Terms
02Summary
Lazy Blocks versions 4.2.0 and earlier contain a code injection vulnerability that allows authenticated users with low privileges to execute arbitrary PHP code on the site. An attacker can inject malicious code through the plugin's block builder interface, gaining full control over site content and functionality. This affects all installations running the vulnerable version range.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site and modify or delete any data.
Potential impact on your site
04Site Impact
A compromised user account can lead to complete site takeover, data theft, or malware injection.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account (e.g., contributor or editor role).
Key dates
06Disclosure timeline
February 11, 2026
CVE published
April 8, 2026
Record updated