Attackers can upload malicious files through MaxiBlocks Builder. This puts your WordPress site at risk. You need to patch this right away.
CVE-2026-2028: What Is the Risk?
This vulnerability carries a CVSS score of 5.3. It allows unauthenticated users to upload arbitrary files. An attacker could upload PHP shells or other dangerous files. These files could give them full site control. They could steal data or deface your website.
CVE-2026-2028: Vulnerability Description
CVE-2026-2028 affects the MaxiBlocks page builder plugin. The plugin fails to validate file uploads properly. Attackers can bypass file type restrictions easily. They can upload PHP, executable scripts, or other malicious files. The plugin does not check file extensions or MIME types during upload. This makes the attack simple to execute.
Any visitor to your site can trigger this vulnerability. They do not need a user account. They do not need any special privileges. This increases the risk significantly. Automated scanners actively target this type of flaw.
Affected Versions
All versions of MaxiBlocks Builder are affected. The vendor has released a patched version. Check your plugin version immediately. If you run an unpatched version, your site is vulnerable.
How to Fix It
Update MaxiBlocks Builder to the latest version right now. Go to your WordPress admin dashboard. Navigate to Plugins and find MaxiBlocks Builder. Click Update Now. The patched version adds proper file validation checks. It verifies file extensions and MIME types. It also restricts upload permissions.
After updating, review your uploads folder for suspicious files. Remove any files that look dangerous. Use a security plugin to scan your site. Keep automatic updates enabled for all plugins. This helps protect you from future vulnerabilities.
What Is MaxiBlocks?
MaxiBlocks is a WordPress page builder with over 500 pre-built blocks and templates. It comes with a drag-and-drop interface, responsive design controls, and a built-in style system. Agencies and freelancers use it to build custom WordPress sites without writing code.
The plugin has over 10,000 active installations and a 4.5-star rating on WordPress.org. Its popularity makes it a prime target for vulnerability research.
The Vulnerability Details
CVE-2026-2028 is an arbitrary file upload vulnerability. An unauthenticated attacker can upload malicious PHP files through the plugin’s file upload functionality. The flaw exists because the plugin fails to validate file types before processing uploads.
This vulnerability carries a CVSS score of 9.8, which is critical. Attackers can upload web shells and execute arbitrary code on the server. Once they have code execution, they can steal data, install backdoors, or take over the entire site.
Versions at Risk
All versions of MaxiBlocks up to and including 1.38.0 are affected. The patch was released in version 1.38.1. If you are running version 1.38.0 or earlier, your site is vulnerable right now.
Update Instructions
Open your WordPress dashboard and navigate to Plugins > Installed Plugins. Find MaxiBlocks and click Update Now. The update brings you to version 1.38.1, which filters uploaded files by extension and MIME type.
After updating, check your site for signs of compromise. Look for unknown files in /wp-content/uploads/, unexpected admin users, and suspicious entries in your server’s access logs. If you find anything unusual, run a security scan immediately.
The MaxiBlocks plugin is available on wordpress.org/plugins/maxi-blocks/.