Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ronald Huereca Custom Query Blocks post-type-archive-mapping allows DOM-Based XSS.This issue affects Custom Query Blocks: from n/a through <= 5.5.0.
AnalysisAI
DOM-based cross-site scripting (XSS) in Ronald Huereca Custom Query Blocks WordPress plugin version 5.5.0 and earlier allows authenticated users to inject malicious scripts via the post-type-archive-mapping functionality. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability across site boundaries (S:C). With EPSS at 0.03% and no confirmed active exploitation, this is a low-probability risk despite the medium CVSS score, indicating exploitation requires specific preconditions unlikely to occur in typical deployments.
Technical ContextAI
This vulnerability exploits improper input neutralization (CWE-79) in the post-type-archive-mapping component of the Custom Query Blocks plugin. The flaw is classified as DOM-based XSS, meaning the malicious payload is processed and injected into the document object model on the client side rather than server-side, typically arising from unsafe use of JavaScript methods like innerHTML, eval(), or document.write() without adequate sanitization. The plugin, built for WordPress, lacks sufficient escaping or Content Security Policy protections when rendering user-supplied or administrator-controlled query parameters related to archive mapping, allowing arbitrary script execution within the browser context of authenticated users.
RemediationAI
Upgrade Custom Query Blocks to a version later than 5.5.0 immediately; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/post-type-archive-mapping/vulnerability/wordpress-custom-query-blocks-plugin-5-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve) for the exact patched version number and installation instructions. As an interim workaround, restrict plugin access to trusted administrators only and limit use of the post-type-archive-mapping feature until patching is feasible. Review WordPress user roles and capabilities to ensure only essential administrators retain access to custom query configuration. Apply general XSS prevention measures site-wide via WordPress security plugins that enforce Content Security Policy headers.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20223
GHSA-2mw3-cgxq-9prq