CVE-2026-6675 Overview
The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to an Unauthenticated Open Email Relay in all versions up to, and including, 2.2.0. This vulnerability stems from insufficient authorization checks and missing server-side validation of the recipient email address supplied via a public REST API route. The flaw enables unauthenticated attackers to send arbitrary emails to any recipient of their choosing through the affected WordPress site's mail server, effectively turning the site into an open mail relay.
Critical Impact
Attackers can leverage vulnerable WordPress installations as spam relay servers without authentication, potentially damaging site reputation, causing IP blacklisting, and enabling phishing campaigns.
Affected Products
- Responsive Blocks – Page Builder for Blocks & Patterns plugin version 2.2.0 and earlier
- WordPress sites with the vulnerable plugin installed and active
- WordPress REST API endpoints exposed via the plugin
Discovery Timeline
- April 21, 2026 - CVE-2026-6675 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-6675
Vulnerability Analysis
This open email relay vulnerability (CWE-20: Improper Input Validation) exists within the Responsive Blocks plugin's REST API implementation. The plugin exposes a publicly accessible REST API route that handles email functionality but fails to implement proper authorization checks or validate the recipient email address on the server side.
The core issue lies in the class-responsive-block-editor-addons.php file, where the email sending functionality accepts user-controlled input for the recipient address without verifying that the sender is authenticated or that the recipient is a legitimate, expected address. This architectural flaw allows any external actor to craft API requests that instruct the WordPress site's mail server to send emails to arbitrary destinations.
When exploited, the attacker can specify any recipient email address, compose custom message content, and effectively hijack the site's mail-sending capabilities. This transforms the WordPress installation into an open mail relay, which is particularly dangerous as it can be used for spam distribution, phishing campaigns, or email-based attacks while obscuring the attacker's origin.
Root Cause
The root cause is the absence of proper authentication enforcement and input validation on a public-facing REST API endpoint. The plugin registers an API route that handles email operations but does not require authentication (permission_callback is likely set to __return_true or equivalent), nor does it validate that the recipient email address matches any expected pattern or whitelist.
The vulnerable code paths can be found in the plugin source at multiple locations within class-responsive-block-editor-addons.php, specifically around lines 2212, 2324, and 2403, where email handling logic is implemented without adequate security controls.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP requests to the plugin's REST API endpoint.
The attack flow involves:
- Identifying a WordPress site with the vulnerable Responsive Blocks plugin installed
- Discovering the exposed REST API route that handles email functionality
- Crafting a POST request to the API endpoint with arbitrary recipient addresses and message content
- The server processes the request without validating the sender's identity or the recipient's legitimacy
- The WordPress site's configured mail server sends the attacker-controlled email
Since no authentication is required, attackers can automate this process to send bulk emails through compromised WordPress installations, leveraging the site's domain reputation for malicious purposes.
Detection Methods for CVE-2026-6675
Indicators of Compromise
- Unusual spikes in outbound email traffic from WordPress servers
- Mail server logs showing emails to unfamiliar or suspicious recipient addresses
- REST API access logs containing requests to email-related plugin endpoints from unknown IP addresses
- Reports of the WordPress domain appearing in spam blacklists
- Bounce-back notifications for emails the site administrator did not authorize
Detection Strategies
- Monitor WordPress REST API access logs for unauthenticated requests to /wp-json/ endpoints related to the Responsive Blocks plugin
- Configure email server logging to track all outbound messages and alert on unusual volume or recipient patterns
- Implement Web Application Firewall (WAF) rules to detect and block suspicious API requests targeting email functionality
- Use SentinelOne Singularity to monitor for anomalous process behavior associated with email relay abuse
Monitoring Recommendations
- Enable detailed logging for WordPress REST API requests, particularly those involving POST methods
- Set up alerts for outbound email volume thresholds that exceed normal operational baselines
- Monitor domain reputation through blacklist checking services
- Review mail server queue regularly for unauthorized or suspicious messages
How to Mitigate CVE-2026-6675
Immediate Actions Required
- Update the Responsive Blocks – Page Builder for Blocks & Patterns plugin to a version newer than 2.2.0 as soon as a patched version is available
- Disable the Responsive Blocks plugin temporarily if it is not critical to site functionality
- Implement WAF rules to block unauthenticated requests to the vulnerable REST API endpoints
- Review mail server logs for signs of abuse and consider temporarily restricting outbound email capabilities
Patch Information
Review the Wordfence Vulnerability Report for official patch details and update guidance. The vulnerable code can be examined in the WordPress Plugin Code Reference to understand the affected functions.
Site administrators should monitor the WordPress plugin repository for security updates and apply patches immediately when released.
Workarounds
- Disable the Responsive Blocks plugin entirely until a security patch is available
- Use a security plugin like Wordfence to add authentication requirements to REST API endpoints
- Configure server-level email restrictions to limit outbound mail to authorized addresses only
- Implement rate limiting on REST API endpoints to minimize potential abuse impact
# WordPress configuration example - Disable REST API for unauthenticated users
# Add to wp-config.php or functions.php
# Option 1: Restrict REST API access to authenticated users only
add_filter('rest_authentication_errors', function($result) {
if (!empty($result)) {
return $result;
}
if (!is_user_logged_in()) {
return new WP_Error('rest_not_logged_in', 'You are not currently logged in.', array('status' => 401));
}
return $result;
});
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
