Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires victim page visit (UI:R, not UI:N); contributor account needed (PR:L); scope change to victim browser (S:C) is accurate.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Services Section Block - Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The payload persists inside HTML comments in post_content, bypassing wp_kses_post sanitization at save time, and executes via both the primary service link anchor and a secondary title-wrapped anchor when the linkIn option is set to 'title'.
AnalysisAI
Stored Cross-Site Scripting in the bplugins Services Section Block WordPress plugin (all versions through 1.4.4) enables authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'link' block attribute. The payload evades wp_kses_post sanitization by embedding inside HTML comments at save time, then executes from two rendering paths - the primary service link anchor and a secondary title-wrapped anchor - when the linkIn option is set to 'title'. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a WordPress account with at minimum contributor-level role on the target site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.4 reflects a medium-severity finding with real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a contributor-level account on a target WordPress site running Services Section Block 1.4.4 or earlier. The attacker creates or edits a post containing a Services Section Block and sets the 'link' block attribute to a crafted value embedding JavaScript (e.g., a javascript: URI or event-handler payload) that survives wp_kses_post by residing inside an HTML comment structure. … |
| Remediation | The upstream fix is available as WordPress plugin repository changeset 3570724 (https://plugins.trac.wordpress.org/changeset?old=3570724%40services-section&new=3570724%40services-section), but the exact released plugin version corresponding to this commit has not been independently confirmed from available data - update to the latest version available in the WordPress plugin repository and verify the installed version exceeds 1.4.4 once a tagged release is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37849
GHSA-vf4m-437w-3xxm