Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in Scratchblocks for WP plugin for WordPress allows authenticated contributors and above to inject arbitrary JavaScript through the 'element' attribute of the 'scratchblocks' shortcode due to insufficient input sanitization and output escaping. The vulnerability affects all versions up to 1.0.1 and enables malicious scripts to execute in the browsers of all users viewing affected pages, with cross-site scope impact.
Technical ContextAI
The vulnerability exists in WordPress shortcode processing, specifically in the 'scratchblocks' shortcode handler that processes the 'element' attribute. WordPress shortcodes are a templating mechanism allowing users with publishing capabilities to embed dynamic content via square-bracket syntax (e.g., [scratchblocks element='value']). The plugin fails to sanitize user-supplied attribute values before storing them in the database (allowing persistence of the XSS payload) and fails to properly escape output when rendering the shortcode content. This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability where untrusted input flows directly into HTML output without sanitization or contextual escaping. The CPE indicates this affects the tkc49 Scratchblocks for WP plugin across all versions through 1.0.1.
RemediationAI
Update the Scratchblocks for WP plugin to a patched version released after 1.0.1 immediately. Check the WordPress Plugin Directory or the plugin's GitHub/official repository for the latest release that includes input sanitization via wp_kses_post() or sanitize_text_field() for the 'element' attribute and proper output escaping via esc_attr() or esc_html() depending on the context where 'element' is rendered. If an updated version is not available, deactivate and remove the plugin from production environments. As a temporary workaround pending patching, restrict contributor-level access to only trusted administrators by auditing WordPress user roles via wp-admin > Users and removing unnecessary contributor accounts. Additionally, implement Content Security Policy (CSP) headers that prohibit inline script execution (script-src 'self' only) to mitigate XSS payload execution even if injected. Be aware that CSP with 'self' may break plugin functionality if the plugin relies on inline scripts; coordinate testing before deployment. Reference: https://www.wordfence.com/threat-intel/vulnerabilities/id/cf64f1c5-257d-49b2-b626-eaa4592b8335
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29402
GHSA-54wj-7676-6jj4