CVE-2026-0894

EUVD-2026-23670 MEDIUM

2026-04-18 Wordfence

XSS WordPress

6.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 18, 2026 - 09:49 vuln.today

DescriptionNVD

The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in Content Blocks (Custom Post Widget) plugin for WordPress affects all versions up to 3.3.9, allowing authenticated contributors and above to inject arbitrary JavaScript via the content_block shortcode that executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping; no public exploit code or active exploitation has been identified at the time of analysis, but the low attack complexity and broad scope (cross-site) make this a significant risk for WordPress sites with untrusted contributor accounts.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-0894 vulnerability details – vuln.today

Back