Skip to main content

Services Section Block CVE-2026-11402

| EUVDEUVD-2026-37849 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 Wordfence GHSA-vf4m-437w-3xxm
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires victim page visit (UI:R, not UI:N); contributor account needed (PR:L); scope change to victim browser (S:C) is accurate.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 06:23 vuln.today
CVE Published
Jun 18, 2026 - 05:34 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Services Section Block - Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The payload persists inside HTML comments in post_content, bypassing wp_kses_post sanitization at save time, and executes via both the primary service link anchor and a secondary title-wrapped anchor when the linkIn option is set to 'title'.

AnalysisAI

Stored Cross-Site Scripting in the bplugins Services Section Block WordPress plugin (all versions through 1.4.4) enables authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'link' block attribute. The payload evades wp_kses_post sanitization by embedding inside HTML comments at save time, then executes from two rendering paths - the primary service link anchor and a secondary title-wrapped anchor - when the linkIn option is set to 'title'. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or compromise contributor WordPress account
Delivery
Create/edit post with Services Section Block
Exploit
Inject crafted payload into 'link' attribute with linkIn set to 'title'
Install
Payload stored in post_content bypassing wp_kses_post
C2
Victim loads injected page
Execute
Malicious script executes in victim's browser session
Impact
Steal session cookie or perform authenticated actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a WordPress account with at minimum contributor-level role on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.4 reflects a medium-severity finding with real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a contributor-level account on a target WordPress site running Services Section Block 1.4.4 or earlier. The attacker creates or edits a post containing a Services Section Block and sets the 'link' block attribute to a crafted value embedding JavaScript (e.g., a javascript: URI or event-handler payload) that survives wp_kses_post by residing inside an HTML comment structure. …
Remediation The upstream fix is available as WordPress plugin repository changeset 3570724 (https://plugins.trac.wordpress.org/changeset?old=3570724%40services-section&new=3570724%40services-section), but the exact released plugin version corresponding to this commit has not been independently confirmed from available data - update to the latest version available in the WordPress plugin repository and verify the installed version exceeds 1.4.4 once a tagged release is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy