PT-2026-34842

🗓️ 24 Apr 2026 00:00:00Reported by Positive TechnologiesType

MaxiBlocks Builder plugin enables authors to delete uploads from wp-content with missing ownership checks (≤2.1.8).

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-2028	24 Apr 202603:27	–	attackerkb
CNNVD	WordPress plugin MaxiBlocks Builder 安全漏洞	24 Apr 202600:00	–	cnnvd
CVE	CVE-2026-2028	24 Apr 202603:27	–	cve
Cvelist	CVE-2026-2028 Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter	24 Apr 202603:27	–	cvelist
EUVD	EUVD-2026-25372	24 Apr 202603:27	–	euvd
NVD	CVE-2026-2028	24 Apr 202604:16	–	nvd
Patchstack	WordPress MaxiBlocks Builder plugin <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion vulnerability	23 Apr 202614:43	–	patchstack
Vulnrichment	CVE-2026-2028 Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter	24 Apr 202603:27	–	vulnrichment

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/maxi-blocks/trunk/core/class-maxi-image-crop.php
plugins	www.plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.7/core/class-maxi-image-crop.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/f50c31df-56d0-4c34-a93c-56198fe91b36
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-2028
github	www.github.com/maxi-blocks/maxi-blocks/commit/3dff1db57bfb4e6c14fa7fd42037178d1d0ce199
twitter	www.twitter.com/CVEnew/status/2048099319530627483
plugins	www.plugins.trac.wordpress.org/changeset/3476709/maxi-blocks/trunk/core/class-maxi-image-crop.php
plugins	www.plugins.trac.wordpress.org/changeset

25 Apr 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.3

EPSS0.00015

SSVC