CVE-2026-2028 Overview
The MaxiBlocks Builder plugin for WordPress contains an arbitrary media file deletion vulnerability stemming from insufficient file ownership validation in the maxi_remove_custom_image_size AJAX action. This security flaw affects all versions up to and including 2.1.8, allowing authenticated attackers with Author-level access or higher to delete arbitrary files within the wp-content/uploads directory.
Critical Impact
Authenticated attackers can delete media files uploaded by other users and administrators, potentially disrupting site functionality, removing critical assets, and causing data loss across the WordPress installation.
Affected Products
- MaxiBlocks Builder plugin for WordPress versions up to and including 2.1.8
- WordPress installations with MaxiBlocks Builder plugin enabled
- Sites with Author-level or higher user accounts
Discovery Timeline
- 2026-04-24 - CVE-2026-2028 published to NVD
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-2028
Vulnerability Analysis
This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), which occurs when the application uses user-supplied input to determine which resources can be accessed or modified. In the context of MaxiBlocks Builder, the maxi_remove_custom_image_size AJAX action fails to properly verify that the authenticated user owns the media file they are attempting to delete. This allows any user with Author privileges to manipulate the request parameters and target files uploaded by other users, including administrators.
The vulnerability is exploitable over the network and requires no user interaction. While the attacker needs to be authenticated with at least Author-level access, this is a relatively low barrier given that many WordPress sites grant Author permissions to content contributors. The impact primarily affects the integrity of media assets stored in the uploads directory.
Root Cause
The root cause lies in missing authorization checks within the class-maxi-image-crop.php file. Prior to the security patch, the plugin did not implement proper nonce verification for the image manipulation AJAX actions. The absence of the check_ajax_referer() function call meant that the plugin could not verify that requests were legitimately initiated by the authorized user through the proper WordPress interface.
Additionally, the file ownership validation was insufficient—the plugin checked if the user had generic edit_posts capability but failed to verify if the user owned the specific media file being targeted for deletion.
Attack Vector
An authenticated attacker with Author-level privileges can exploit this vulnerability by sending crafted AJAX requests to the maxi_remove_custom_image_size action endpoint. Since the application lacks proper nonce verification and file ownership checks, the attacker can specify any file ID within the uploads directory, including files owned by administrators or other users.
The attack can be executed through:
- Intercepting legitimate AJAX requests and modifying the target file parameter
- Directly crafting malicious AJAX requests to the WordPress admin-ajax.php endpoint
- Automating mass deletion through scripted requests
The security patch addresses this by implementing proper nonce verification:
public function maxi_add_custom_image_size()
{
check_ajax_referer('maxi_image_crop', 'nonce');
if (!current_user_can('edit_posts')) {
wp_die(__('You do not have sufficient permissions to access this page.', 'maxi-blocks'));
}
Source: GitHub Commit Details
The patch also adds nonce generation in the initialization:
'local_fonts' => get_option('local_fonts'),
'bunny_fonts' => get_option('bunny_fonts'),
'apiRoot' => esc_url_raw(rest_url()),
'image_crop_nonce' => wp_create_nonce('maxi_image_crop'),
]);
// Inject MaxiBlocks settings directly to avoid API calls
Source: GitHub Commit Details
Detection Methods for CVE-2026-2028
Indicators of Compromise
- Unusual volume of AJAX requests targeting maxi_remove_custom_image_size action from Author-level accounts
- Unexpected deletion of media files in wp-content/uploads directory not initiated by file owners
- Access logs showing repeated POST requests to admin-ajax.php with action=maxi_remove_custom_image_size
- Reports from administrators about missing media assets they did not delete
Detection Strategies
- Monitor WordPress access logs for suspicious AJAX activity patterns targeting MaxiBlocks endpoints
- Implement file integrity monitoring on the wp-content/uploads directory to detect unauthorized deletions
- Review user activity logs for Author-level accounts performing unusual file operations
- Deploy web application firewall rules to flag repeated file deletion requests from single user sessions
Monitoring Recommendations
- Enable detailed WordPress audit logging for all media file operations
- Configure alerts for bulk file deletion activities originating from non-administrator accounts
- Implement real-time monitoring of AJAX endpoints related to MaxiBlocks Builder plugin
- Establish baseline metrics for normal media file deletion patterns to identify anomalies
How to Mitigate CVE-2026-2028
Immediate Actions Required
- Update MaxiBlocks Builder plugin to version 2.1.9 or later immediately
- Audit user accounts with Author-level access and above for potential abuse
- Review media library for any unauthorized deletions and restore from backups if necessary
- Temporarily disable MaxiBlocks Builder plugin if immediate update is not possible
Patch Information
The vulnerability has been addressed in the official MaxiBlocks Builder plugin update. The security patch implements proper nonce verification using WordPress's check_ajax_referer() function and adds the maxi_image_crop nonce to all image manipulation AJAX actions. Users should update to the latest version available through the WordPress plugin repository.
For technical details on the fix, refer to the GitHub Commit Details and the Wordfence Vulnerability Report.
Workarounds
- Restrict Author-level account creation until the plugin is updated
- Implement additional access controls limiting which users can access MaxiBlocks Builder features
- Deploy web application firewall rules to block requests to the vulnerable AJAX action
- Enable WordPress file system permissions to restrict write access to the uploads directory
# Restrict wp-content/uploads permissions (temporary mitigation)
chmod 755 /var/www/html/wp-content/uploads
chown www-data:www-data /var/www/html/wp-content/uploads
# Enable WordPress audit logging via wp-config.php
define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
