Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Meta Field Block WordPress plugin (versions ≤1.5.2) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'tagName' block attribute. Any user who subsequently visits a page containing the injected block will execute the attacker's arbitrary JavaScript in their browser context. A vendor-released patch (1.5.3) is available; no public exploit has been identified and EPSS and SSVC signals both indicate low exploitation probability at this time.
Technical ContextAI
Meta Field Block (CPE: cpe:2.3:a:mr2p:meta_field_block_-_display_custom_fields_in_the_block_editor_without_coding:*:*:*:*:*:*:*:*) is a WordPress Gutenberg block editor plugin that renders custom post meta fields as HTML elements, where the 'tagName' attribute controls the HTML tag used for output. CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: the plugin fails to sanitize the 'tagName' value on input and fails to escape it on output when generating block HTML. Because the Scope is Changed (S:C) in the CVSS vector, the injected script executes in the victim's browser security context rather than just the WordPress application context, enabling session theft, credential harvesting, or UI redress attacks against any site visitor. The fix was committed in trac changeset 3517519 to helper-functions.php in version 1.5.3.
RemediationAI
Vendor-released patch: version 1.5.3. Site administrators should update the Meta Field Block plugin to version 1.5.3 or later via the WordPress plugin dashboard or wp-cli ('wp plugin update display-a-meta-field-as-block'). The fix is confirmed in trac changeset 3517519, specifically in includes/helper-functions.php (https://plugins.trac.wordpress.org/changeset/3517519/display-a-meta-field-as-block/tags/1.5.3/includes/helper-functions.php). If immediate patching is not possible, a compensating control is to revoke or restrict contributor-level roles on the WordPress installation, preventing untrusted users from creating or editing block content - note this may disrupt editorial workflows. Alternatively, a WAF rule blocking non-allowlisted HTML tag names in block attribute submissions can reduce exposure, though this requires rule maintenance and may break legitimate usage.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30252
GHSA-h83f-558m-52cw