Skip to main content

Magazine Blocks CVE-2026-57650

| EUVDEUVD-2026-39765 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-32p4-hwpj-mqvq
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

PR:L confirmed by Contributor-role requirement; UI:R for victim page view; S:C for XSS browser boundary; A:N because XSS does not cause meaningful availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:10 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in Magazine Blocks <= 1.8.3 versions.

AnalysisAI

Stored Cross-Site Scripting in the Magazine Blocks WordPress plugin (versions ≤ 1.8.3) allows authenticated contributors to inject persistent malicious JavaScript into page content. Because the vulnerability carries a scope change (S:C in CVSS), successful exploitation targets the browsers of higher-privileged users - typically editors or administrators - who view the affected content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress Contributor account
Delivery
Craft malicious XSS payload in Magazine Blocks block
Exploit
Save poisoned draft/post
Execution
Induce admin or editor to preview content
Persist
Script executes in victim browser
Impact
Exfiltrate session token or perform privileged actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum a WordPress Contributor account on the target site - unauthenticated exploitation is not possible given PR:L in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 6.5 (Medium) vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L accurately reflects the meaningful prerequisite: an attacker must already hold a Contributor account on the target WordPress site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor-level WordPress account on a site running Magazine Blocks ≤ 1.8.3, then creates or edits a draft post embedding a malicious JavaScript payload within a Magazine Blocks block attribute. When a site administrator or editor opens the post for review or preview, the script executes in their browser, potentially exfiltrating the session cookie or performing privileged WordPress actions on their behalf. …
Remediation Update the Magazine Blocks plugin beyond version 1.8.3; the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/magazine-blocks/vulnerability/wordpress-magazine-blocks-plugin-1-8-3-cross-site-scripting-xss-vulnerability) should be consulted for the confirmed patched release version, which was not independently specified in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy