Skip to main content

Custom Block Builder CVE-2026-8981

| EUVDEUVD-2026-35352 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 contact@wpscan.com GHSA-cfcv-65jq-76jw
3.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 09, 2026 - 11:35 vuln.today
CVSS changed
Jun 09, 2026 - 11:22 NVD
3.5 (LOW)
Patch available
Jun 09, 2026 - 08:01 EUVD
CVE Published
Jun 09, 2026 - 06:16 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 09, 2026 - 06:16 nvd
LOW 3.5

DescriptionCVE.org

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

AnalysisAI

Stored cross-site scripting in the Custom Block Builder WordPress plugin (versions before 4.3.0) allows authenticated administrators to inject persistent JavaScript into block template code fields that executes in every visitor's browser on pages embedding the affected block. The vulnerability is specifically scoped to multisite WordPress installations or single-site deployments where DISALLOW_UNFILTERED_HTML is defined - environments that are supposed to restrict the unfiltered_html capability from lower-trust administrators. The root cause is inconsistent capability enforcement: certain code paths writing to block template fields bypass the unfiltered_html check that should gate raw HTML/JS input. No public exploit identified at time of analysis, and the CVSS score of 3.5 reflects the high-privilege prerequisite and limited confidentiality/integrity impact.

Technical ContextAI

The Custom Block Builder plugin (affected CPE inferred as wordpress plugin custom-block-builder < 4.3.0) extends WordPress's Gutenberg editor by providing a UI for authoring custom block templates. WordPress natively gates raw HTML and JavaScript injection through the unfiltered_html capability, which multisite super admins hold but regular site admins do not - and which is globally suppressed when DISALLOW_UNFILTERED_HTML is set in wp-config.php. CWE-79 (Improper Neutralization of Input During Web Page Generation) applies here: the plugin correctly checks unfiltered_html on some code paths writing to block template fields but omits the check on others, creating a bypass. The injected script is stored server-side and rendered to all visitors of any page that includes the affected block, making this a persistent (stored) rather than reflected XSS variant.

RemediationAI

Update the Custom Block Builder plugin to version 4.3.0 or later, which is confirmed as the patched release per vendor data from EUVD-2026-35352. The update closes the inconsistent unfiltered_html capability check across all block template code field write paths. For operators unable to update immediately, the most effective compensating control is to restrict the WordPress administrator role on multisite networks to only fully trusted individuals, thereby eliminating the untrusted-admin threat actor. Alternatively, auditing existing block templates for unexpected script tags or event handler attributes can identify prior injections. Removing the plugin entirely until patching is feasible is a zero-risk workaround but eliminates block-building functionality. Note that setting DISALLOW_UNFILTERED_HTML is a hardening measure that the plugin's bypass defeats - it does not serve as a compensating control against this specific CVE. Advisory references: WPScan at https://wpscan.com/vulnerability/9815b0e6-e411-4a5c-9c63-30bad21da698/ and VulDB at https://vuldb.com/vuln/369453.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-8981 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy