CVE-2026-10586

Description

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.3 via the `save_ai_generated_image()` function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Overview

State

PUBLISHED

Assigner (CNA)

Wordfence

CVSS severity

HIGH

CVSS score

7.2 / 10

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Effective score

7.2 / 10 HIGH source: CNA overview

CWE(s)

CWE-918

Reserved

2026-06-01

Published

2026-06-04 23:28 UTC

Last updated

2026-06-05 01:59 UTC

Source

https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/10xxx/CVE-2026-10586.json

Linked Threat

CVE-2026-10586 — Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 6.1.3 - Authenticated (Author+) Server-Side Request Forgery

NVD triage scoring NVD CVE 2.0

Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.

NVD published

2026-06-05 00:16:57 UTC

NVD last modified

2026-06-05 00:16:57 UTC

NVD CVSS v3.1

7.2 / 10 HIGH source: security@wordfence.com

NVD CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Exploitability subscore

3.9 / 10

Impact subscore

2.7 / 10

European Union Vulnerability Database ENISA EUVD

ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.

EUVD ID

EUVD-2026-34771

Assigner

Wordfence

Published

Jun 4, 2026, 11:28:52 PM

Updated

Jun 5, 2026, 1:59:19 AM

EUVD base score (CVSS 3.1)

7.2 / 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EUVD-reported EPSS

0.0000

Vendors

wpdevteam

Products

Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns (0 ≤6.1.3)

Aliases

GHSA-5rm6-jpq7-cq95

ENISA description: The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.3 via the `save_ai_generated_image()` function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.

• Wordfence remediation: Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns
  Wordfence

  Update to version 6.1.4, or a newer patched version

  2026-06-05 13:17 UTC
• CVE-2026-10586 | High | CVETodo
  web:cvetodo.com

  How do I fix CVE-2026-10586 ? To remediate CVE-2026-10586 : Check wpdevteam's security advisories for official patches and updates. Update Gutenberg Essential Blocks - Page Builder for Gutenberg Blocks & Patterns to the latest patched version. Review the references section below for vendor advisories and mitigation guidance.

  2026-06-05 10:33 UTC
• Microsoft Patch Tuesday May 2026 - 120 Vulnerabilities Fixed, Including ...
  web:cybersecuritynews.com

  Microsoft's May 2026 Patch Tuesday lands with a heavy enterprise focus, fixing 120 vulnerabilities across Windows, Office, Azure, developer tools, and Microsoft 365 apps, including 29 remote code execution (RCE) flaws rated Critical.

  2026-06-05 10:33 UTC
• Microsoft's May 2026 Patch Tuesday - Hive Pro
  web:hivepro.com

  Summary Microsoft's May 2026 Patch Tuesday security update addresses 137 critical vulnerabilities across the Microsoft product ecosystem, representing a significant security update for enterprise and consumer environments.

  2026-06-05 10:33 UTC
• Nvd - Cve-2026-8586
  web:nvd.nist.gov

  Description Inappropriate implementation in Chromoting in Google Chrome prior to 148..7778.168 allowed a local attacker to bypass discretionary access control via a malicious file. (Chromium security severity: Medium)

  2026-06-05 10:33 UTC
• Microsoft and Adobe Patch Tuesday, May 2026 Security Update Review
  web:blog.qualys.com

  May 2026's Patch Tuesday arrives with Microsoft addressing a fresh set of vulnerabilities across its ecosystem, reinforcing the ongoing need for timely patching in an increasingly threat-heavy…

  2026-06-05 10:33 UTC
• Microsoft May 2026 Patch Tuesday Fixes 120 Flaws
  web:thecyberexpress.com

  Microsoft has rolled out its May 2026 Patch Tuesday security updates, delivering fixes for approximately 120 vulnerabilities across Windows, Microsoft Office, networking services, and enterprise platforms.

  2026-06-05 10:33 UTC
• Patch Tuesday May 2026 - PDQ
  web:www.pdq.com

  May 2026 Patch Tuesday is here, and PDQ is back with another recap. Will we see another month of increased CVE volume? Is AI to blame? Dive in to learn more.

  2026-06-05 10:33 UTC
• CVE-2026-10586 - Vulnerability - TheHackerWire
  web:www.thehackerwire.com

  TheHackerWire - Your daily source for cybersecurity news, CVE alerts, hacking tutorials, and security tool reviews. Stay ahead of cyber threats.

  2026-06-05 10:33 UTC
• Patch Tuesday June 2026: Security Updates & CVE Analysis
  web:zecurit.com

  Get the complete breakdown of Microsoft's June 2026 Patch Tuesday. We analyze the latest security updates and all critical CVEs .

  2026-06-05 10:33 UTC
• Security Update Guide - Microsoft
  web:portal.msrc.microsoft.com

  The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.

  2026-06-05 10:33 UTC

Vendor references (2)

References embedded in the original CVE record by the assigning CNA.

• https://www.wordfence.com/threat-intel/vulnerabilities/id/08906577-162c-4875-b16c-18d4912c2611?source=cve
• https://plugins.trac.wordpress.org/browser/essential-blocks/tags/6.1.3/includes/Integrations/AI/AI.php#L171

MITRE references (2) cveawg.mitre.org

Pulled from MITRE's CVE Services API by the 🛰 Backfill from MITRE button.

• https://plugins.trac.wordpress.org/browser/essential-blocks/tags/6.1.3/includes/Integrations/AI/AI.php#L171
• https://www.wordfence.com/threat-intel/vulnerabilities/id/08906577-162c-4875-b16c-18d4912c2611?source=cve

Web references (10)

DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search. Last searched: 2026-06-05 09:38 UTC.

• Cybersecurity News & CVE Updates - CVEFeed Newsroom web:cvefeed.io

  Stay informed with the latest cybersecurity news, CVE updates, exploit reports, and security analysis from CVEFeed.

• Latest CVE Vulnerabilities - CVEFeed web:cvefeed.io

  Browse the latest discovered CVE vulnerabilities with risk scoring, exploit data, and real-time security analytics from CVEFeed.

• MS-Agent Vulnerability Let Attackers Hijack AI Agent to Gain Full ... web:cybersecuritynews.com

  A critical vulnerability was discovered in the MS-Agent framework, a tool that enables AI agents to perform autonomous tasks.

• Current Common Vulnerabilities and Exposures - Feedly web:feedly.com

  Welcome to Feedly CVEs — Research critical vulnerabilities ( CVEs ) with all the real-time and historical information you need to assess the risk to your organization. This free resource uses Feedly's AI to synthesize and analyze vulnerability information from across the web, including estimating CVSS scores up to 3 days before it's reported to the NVD.

• Nvd - Cve-2026-8586 web:nvd.nist.gov

  An official website of the United States government Here's how you know

• Bloat Risk? Microsoft's Notepad Upgrade Also Introduced a Vulnerability ... web:www.pcmag.com

  Microsoft's effort to modernize the humble Notepad app has come with a cost: Security researchers have discovered a serious vulnerability in the program following a feature update. The flaw ...

• CVE-2026-10586 - Vulnerability - TheHackerWire web:www.thehackerwire.com

  TheHackerWire - Your daily source for cybersecurity news, CVE alerts, hacking tutorials, and security tool reviews. Stay ahead of cyber threats.

• CVE: Common Vulnerabilities and Exposures web:www.cve.org

  At cve .org, we provide the authoritative reference method for publicly known information-security vulnerabilities and exposures

• Warning Issued About High-severity Flaw Affecting Microsoft Exchange ... web:www.hipaajournal.com

  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have issued warnings about a high-severity flaw affecting Exchange hybrid CISA and Microsoft have issued a warning about a high-severity elevation of privilege vulnerability in certain Microsoft Exchange hybrid deployments, which could be exploited undetected to compromise the Exchange Online service.

• National Vulnerability Database | NIST web:www.nist.gov

  NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation's cybersecurity infrastructure.

Indicators (1)

IOCs linked to the auto-promoted Threat row.

Only Available for Registered Users. Sign in to view.