CVE-2026-1560 HIGH

CVE-2026-1560: Custom Block Builder – Lazy Blocks <= 4.2.0 - Authenticated (Contributor+) Remote Code Execution

Vendor Nko
Product Custom Block Builder – Lazy Blocks
Weakness CWE-94 · Code injection
Published February 11, 2026
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Explanation of Vulnerability in Simple Terms

02Summary

Lazy Blocks versions 4.2.0 and earlier contain a code injection vulnerability that allows authenticated users with low privileges to execute arbitrary PHP code on the site. An attacker can inject malicious code through the plugin's block builder interface, gaining full control over site content and functionality. This affects all installations running the vulnerable version range.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site and modify or delete any data.

Potential impact on your site

04Site Impact

A compromised user account can lead to complete site takeover, data theft, or malware injection.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., contributor or editor role).

Key dates

06Disclosure timeline

February 11, 2026 CVE published
April 8, 2026 Record updated