Skip to main content

Scratchblocks for WP CVE-2026-6247

| EUVDEUVD-2026-29402 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-12 Wordfence GHSA-54wj-7676-6jj4
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 08:49 vuln.today
CVE Published
May 12, 2026 - 07:48 nvd
MEDIUM 6.4

DescriptionCVE.org

The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in Scratchblocks for WP plugin for WordPress allows authenticated contributors and above to inject arbitrary JavaScript through the 'element' attribute of the 'scratchblocks' shortcode due to insufficient input sanitization and output escaping. The vulnerability affects all versions up to 1.0.1 and enables malicious scripts to execute in the browsers of all users viewing affected pages, with cross-site scope impact.

Technical ContextAI

The vulnerability exists in WordPress shortcode processing, specifically in the 'scratchblocks' shortcode handler that processes the 'element' attribute. WordPress shortcodes are a templating mechanism allowing users with publishing capabilities to embed dynamic content via square-bracket syntax (e.g., [scratchblocks element='value']). The plugin fails to sanitize user-supplied attribute values before storing them in the database (allowing persistence of the XSS payload) and fails to properly escape output when rendering the shortcode content. This is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability where untrusted input flows directly into HTML output without sanitization or contextual escaping. The CPE indicates this affects the tkc49 Scratchblocks for WP plugin across all versions through 1.0.1.

RemediationAI

Update the Scratchblocks for WP plugin to a patched version released after 1.0.1 immediately. Check the WordPress Plugin Directory or the plugin's GitHub/official repository for the latest release that includes input sanitization via wp_kses_post() or sanitize_text_field() for the 'element' attribute and proper output escaping via esc_attr() or esc_html() depending on the context where 'element' is rendered. If an updated version is not available, deactivate and remove the plugin from production environments. As a temporary workaround pending patching, restrict contributor-level access to only trusted administrators by auditing WordPress user roles via wp-admin > Users and removing unnecessary contributor accounts. Additionally, implement Content Security Policy (CSP) headers that prohibit inline script execution (script-src 'self' only) to mitigate XSS payload execution even if injected. Be aware that CSP with 'self' may break plugin functionality if the plugin relies on inline scripts; coordinate testing before deployment. Reference: https://www.wordfence.com/threat-intel/vulnerabilities/id/cf64f1c5-257d-49b2-b626-eaa4592b8335

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-6247 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy