Zypento Blocks CVE-2026-5820

EUVD-2026-24696 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-22 Wordfence

WordPress XSS

6.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 22, 2026 - 09:58 vuln.today

DescriptionNVD

The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via innerText and inserting it into the page using innerHTML without proper sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in Zypento Blocks plugin for WordPress up to version 1.0.6 allows authenticated attackers with Author-level privileges to inject arbitrary JavaScript into page content via the Table of Contents block. The vulnerability exists because the front-end rendering script reads heading text using innerText and renders it via innerHTML without sanitization, causing injected scripts to execute whenever users access the compromised page. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-5820 vulnerability details – vuln.today

Back