EUVD-2026-24666
GHSA-f4p3-578m-v245
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the wpmk_block_shortcode() function, the 'class' attribute is extracted from user-controllable shortcode attributes and directly concatenated into an HTML div element's class attribute without any escaping (e.g., esc_attr()). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in WPMK Block plugin for WordPress up to version 1.0.1 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'class' shortcode attribute, which is directly concatenated into HTML without proper escaping. The vulnerability affects all versions through 1.0.1 due to insufficient input sanitization in the wpmk_block_shortcode() function, enabling persistent XSS attacks that execute whenever users access compromised pages.
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today