📄 Description (English)
The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators.
🤖 AI Executive Summary
CVE-2026-2028 affects the MaxiBlocks Builder WordPress plugin (versions ≤2.1.8), allowing authenticated users with Author-level permissions to delete arbitrary media files via an AJAX action lacking proper file ownership validation. While requiring authentication and Author-level access, this vulnerability enables unauthorized deletion of critical business assets, website content, and potentially sensitive documents stored in WordPress uploads directories. The absence of a patch and medium CVSS score (5.3) should not underestimate the operational impact on Saudi organizations relying on WordPress for content management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 30, 2026 04:11
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations most affected include: (1) Government agencies and municipalities using WordPress for public portals and content management (NCA oversight); (2) Banking and financial services sector using WordPress for customer-facing websites and marketing content (SAMA compliance); (3) Healthcare providers and hospitals managing patient education materials and public health information; (4) Media and publishing companies relying on WordPress for news distribution; (5) Educational institutions using WordPress for course materials and institutional websites; (6) E-commerce businesses storing product images and marketing assets. The vulnerability poses significant risk to data integrity and business continuity, particularly for organizations with multiple content contributors.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Hospitals
Media and Publishing
Education
E-commerce and Retail
Telecommunications
Energy and Utilities
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations using MaxiBlocks Builder plugin versions ≤2.1.8 across your organization
2. Review access logs for the 'maxi_remove_custom_image_size' AJAX action to identify suspicious file deletion activities
3. Restrict Author-level and above user accounts to trusted personnel only; audit existing user roles
4. Implement file integrity monitoring on wp-content/uploads directory using tools like AIDE or Tripwire
PATCHING GUIDANCE:
1. Disable or deactivate MaxiBlocks Builder plugin immediately until patch is released
2. If plugin functionality is critical, consider alternative page builders (Elementor, Divi, Gutenberg) with better security records
3. Monitor MaxiBlocks official repository and security advisories for patch availability
4. Test any updates in staging environment before production deployment
COMPENSATING CONTROLS (if plugin cannot be disabled):
1. Implement Web Application Firewall (WAF) rules to block AJAX requests to 'maxi_remove_custom_image_size' action
2. Use WordPress security plugins (Wordfence, Sucuri) to restrict AJAX action execution
3. Apply file system permissions: set wp-content/uploads to 755 with immutable flag on critical files
4. Implement database-level backups with hourly snapshots of wp-content/uploads
5. Use WordPress user role management to minimize Author-level accounts
DETECTION RULES:
1. Monitor WordPress error logs for 'maxi_remove_custom_image_size' AJAX calls from non-administrator accounts
2. Alert on any file deletions in wp-content/uploads directory outside scheduled maintenance windows
3. Track user account privilege escalations and new Author-level account creations
4. Implement SIEM rules to correlate AJAX requests with subsequent file system deletions
5. Use file integrity monitoring to detect unauthorized changes to uploads directory
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم إضافة MaxiBlocks Builder الإصدارات ≤2.1.8 عبر مؤسستك
2. مراجعة سجلات الوصول لإجراء AJAX 'maxi_remove_custom_image_size' لتحديد أنشطة حذف الملفات المريبة
3. تقييد حسابات المستخدمين على مستوى المؤلف وما فوقه للموظفين الموثوقين فقط؛ تدقيق أدوار المستخدمين الحالية
4. تنفيذ مراقبة سلامة الملفات في دليل wp-content/uploads باستخدام أدوات مثل AIDE أو Tripwire
إرشادات التصحيح:
1. تعطيل أو إلغاء تنشيط إضافة MaxiBlocks Builder فوراً حتى يتم إصدار التصحيح
2. إذا كانت وظيفة الإضافة حرجة، فكر في منشئي صفحات بديلة (Elementor و Divi و Gutenberg) بسجلات أمان أفضل
3. مراقبة مستودع MaxiBlocks الرسمي والتنبيهات الأمنية لتوفر التصحيح
4. اختبر أي تحديثات في بيئة التدريج قبل نشر الإنتاج
الضوابط التعويضية (إذا لم يتمكن من تعطيل الإضافة):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر طلبات AJAX لإجراء 'maxi_remove_custom_image_size'
2. استخدام مكونات أمان WordPress (Wordfence و Sucuri) لتقييد تنفيذ إجراء AJAX
3. تطبيق أذونات نظام الملفات: تعيين wp-content/uploads إلى 755 مع علم ثابت على الملفات الحرجة
4. تنفيذ النسخ الاحتياطية على مستوى قاعدة البيانات مع لقطات كل ساعة من wp-content/uploads
5. استخدم إدارة أدوار مستخدمي WordPress لتقليل حسابات المستوى المؤلف
قواعد الكشف:
1. مراقبة سجلات خطأ WordPress لاستدعاءات AJAX 'maxi_remove_custom_image_size' من حسابات غير المسؤول
2. تنبيه على أي حذف ملفات في دليل wp-content/uploads خارج نوافذ الصيانة المجدولة
3. تتبع ترقيات امتيازات حساب المستخدم وإنشاء حسابات جديدة على مستوى المؤلف
4. تنفيذ قواعس SIEM لربط طلبات AJAX بحذف نظام الملفات اللاحق
5. استخدم مراقبة سلامة الملفات للكشف عن التغييرات غير المصرح بها في دليل التحميلات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Internal Organization
A.7.1.1 - Access Control Policy
A.8.1.1 - Asset Management
A.12.2.1 - Change Management
A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
ID.AM-2: Software Inventory
PR.AC-1: Access Control Policy
PR.PT-2: Removable Media Protection
DE.CM-1: Network Monitoring
DE.CM-3: Personnel Activity Monitoring
RS.MI-2: Incident Recovery
🟡 ISO 27001:2022
A.5.1 - Management Direction
A.6.1 - Internal Organization
A.7.1 - Access Control
A.8.1 - Asset Management
A.12.2 - Change Management
A.12.6 - Management of Technical Vulnerabilities
A.14.2 - Development and Support Processes
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall Configuration Standards
Requirement 2.2 - Configuration Standards
Requirement 6.2 - Security Patches
Requirement 10.2 - User Activity Logging
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/maxi-blocks/maxi-blocks/commit/3dff1db57bfb4e6c14fa7fd42037178d1d0ce199
security@wordfence.com
https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.7/core/class-maxi-image...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/maxi-blocks/trunk/core/class-maxi-image-crop...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3476709/maxi-blocks/trunk/core/class-maxi-...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=347670...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/f50c31df-56d0-4c34-a93c-56198...
security@wordfence.com