Skip to main content

Essential Blocks CVE-2026-10833

| EUVDEUVD-2026-39164 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-25 Wordfence GHSA-298j-vh9r-mc78
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L confirmed by explicit Contributor requirement; UI:R assessed independently because a victim must load the injected page for payload execution, constituting passive but required user interaction; S:C retained as script executes outside the plugin's authorization domain.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 25, 2026 - 04:31 vuln.today
CVE Published
Jun 25, 2026 - 03:42 nvd
MEDIUM 6.4

DescriptionCVE.org

The Gutenberg Essential Blocks - Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configurablePrefix' Block Attribute in all versions up to, and including, 6.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in Essential Blocks for WordPress (all versions through 6.1.4) allows authenticated Contributor-level users to permanently embed malicious JavaScript into pages via the configurablePrefix attribute of the Table of Contents block. The payload persists in the database and executes in every subsequent visitor's browser, enabling session hijacking, credential theft, or forced redirects at scale across the site's audience. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or register Contributor-level WordPress account
Delivery
Create or edit post containing Table of Contents block
Exploit
Inject JavaScript payload into configurablePrefix attribute
Install
Save or publish post to persist payload in database
C2
Victim (any user) loads the injected page
Execute
Stored script executes in victim's browser
Impact
Session cookie theft or unauthorized browser-side action

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account with at minimum Contributor-level privileges on the target installation - this is the binding prerequisite confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 score reflects a Scope:Changed impact, acknowledging that the vulnerability's effect crosses the boundary from the WordPress application into victims' browser contexts - a meaningful elevation beyond typical low-privilege content injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor registers a Contributor account on a WordPress site running Essential Blocks 6.1.4 or earlier - achievable on any site with open registration - then creates or edits a post embedding a Table of Contents block and sets the `configurablePrefix` attribute to a crafted JavaScript payload. After saving the post, every visitor who loads the page, including site administrators, triggers the stored script in their browser, allowing the attacker to silently harvest session cookies, redirect users to a credential-harvesting site, or inject content impersonating the site. …
Remediation No patched release version is confirmed in the available intelligence - the Trac references point exclusively to the 6.1.4 vulnerable tag, and no newer tagged release with a fix is cited. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10833 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy