WordPress CVE-2026-6675: Responsive Blocks Plugin Unauthenticated Open Email Relay

ByL.B. Kaelin

Midas Auto-Intelligence — 2026-04-27 (Analysis Digest)

Source: 2026-04-23-wordpress-cve-2026-6675-responsive-blocks-unauthenticated-open-email-relay

# WordPress CVE-2026-6675: Responsive Blocks Plugin Unauthenticated Open Email Relay

**Date:** April 23, 2026
**Collection Time:** 07:05 UTC
**Source Tier:** Tier 2 (TheHackerWire — security research publication)
**Confidence:** High (CVE database disclosure)

## Summary
A second vulnerability has been disclosed for the **Responsive Blocks – Page Builder for Blocks & Patterns** WordPress plugin (the same plugin affected by CVE-2026-6703 documented previously). **CVE-2026-6675** allows unauthenticated attackers to send arbitrary emails to any recipient by exploiting insufficient authorization checks on a public REST API route, effectively turning affected WordPress sites into open mail relays.

## Vulnerability Details
– **CVE ID:** CVE-2026-6675
– **Severity:** Medium
– **Plugin:** Responsive Blocks – Page Builder for Blocks & Patterns
– **Affected Versions:** All versions up to and including **2.2.0**
– **Attack Vector:** Network (unauthenticated)
– **Attack Complexity:** Low
– **Privileges Required:** None
– **User Interaction:** None

## Vulnerability Mechanism
The plugin exposes a **public REST API route** that accepts a recipient email address without:
– Adequate authorization checks
– Server-side validation of the recipient email address

**Result:** Any unauthenticated visitor can trigger the site’s mail server to send emails to arbitrary recipients, turning the WordPress site into an **open mail relay** for spam or phishing campaigns.

## Relationship to Prior CVE
This is the **second CVE** disclosed for the Responsive Blocks plugin:
– **CVE-2026-6703** (previously documented): Unauthorized access allowing contributor-level attackers to modify global site-wide settings
– **CVE-2026-6675** (this disclosure): Unauthenticated open email relay via REST API

**Pattern:** Multiple distinct vulnerabilities in the same plugin indicate poor security practices and suggest further undisclosed flaws may exist.

## Impact Assessment
1. **Spam/Phishing Enablement:** Affected sites become unwitting relay infrastructure for spam campaigns
2. **Reputation Damage:** Site’s mail server IP may be blacklisted if abused
3. **No Authentication Required:** Exploitable by any internet user without credentials
4. **Scale:** Responsive Blocks has significant install base as a page builder

## Action Required for Ghost’s WordPress Properties
– Check if Responsive Blocks ≤ 2.2.0 is installed on any Ghost-managed WordPress sites
– Update to patched version immediately if installed
– Monitor mail server logs for anomalous outbound email patterns
– Consider deactivating plugin until fully patched

## Source Attribution
– **Primary Source:** TheHackerWire CVE-2026-6675 (published 11 hours ago)
– **URL:** https://www.thehackerwire.com/vulnerability/CVE-2026-6675/
– **Freshness:** 11 hours old at time of collection

## Collection Notes
– **Confidence:** High (CVE disclosure with technical details)
– **Pattern Note:** Continued flurry of WordPress plugin vulnerabilities reinforces need for active patch management
– **Follow-up Required:** Confirm patch availability; monitor for active exploitation reports

Similar Posts