Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Contributor credentials required (PR:L); stored payload still requires a victim to load the page (UI:R); script executes cross-context in visitor browsers (S:C).
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Canvas plugin for WordPress (versions ≤ 2.5.2) allows an authenticated attacker holding contributor-level access or above to inject persistent JavaScript via the unsanitized 'tag' parameter in the block-section-heading Gutenberg block. The payload is stored in the database and executes in the browser of any user who subsequently loads the compromised page, enabling session hijacking, credential theft, or malicious redirects at scale. No active exploitation is confirmed (not listed in CISA KEV), but the low privilege bar makes this a realistic threat on multi-author WordPress installations; a fix is available in version 2.5.3.
Technical ContextAI
The Canvas plugin (CPE: cpe:2.3:a:codesupplyco:canvas:*:*:*:*:*:*:*:*) extends WordPress with custom Gutenberg blocks. The root cause, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), lies in the block-section-heading render component: the 'tag' parameter accepted via the block attribute is neither sanitized on input nor escaped on output before being rendered into the HTML DOM. The vulnerable code paths are specifically identified in components/basic-elements/block-section-heading/render.php (lines 13 and 32) and the block registration in gutenberg/custom-blocks/index.php (line 798). Because the payload is stored server-side upon post save rather than reflected from a URL, it persists and fires on every page load without further attacker interaction - the hallmark of the Stored XSS variant.
RemediationAI
Update the Canvas plugin to version 2.5.3 or later immediately. The fix is documented in WordPress plugin repository changeset 3553553, which modifies components/basic-elements/block-section-heading/render.php to apply proper input sanitization and output escaping to the 'tag' parameter (https://plugins.trac.wordpress.org/changeset/3553553/canvas/trunk/components/basic-elements/block-section-heading/render.php). The changeset diff between tags/2.5.2 and tags/2.5.3 confirms the scope of the fix (https://plugins.trac.wordpress.org/changeset?old_path=%2Fcanvas/tags/2.5.2&new_path=%2Fcanvas/tags/2.5.3). If immediate patching is not possible, the most targeted compensating control is to audit and revoke contributor-level (and above) accounts for any untrusted or externally-facing users until the update is applied - this eliminates the PR:L prerequisite entirely. Sites running Wordfence with an active firewall subscription may benefit from virtual patching rules. Restricting the block-section-heading block from contributor-authored content via capability filters is a surgical workaround but requires custom code and carries maintenance overhead.
A buffer overflow is present in canvas version <= 1.6.9, which could lead to a Denial of Service or execution of arbitra
cnvs.io Canvas 3.3.0 has XSS in the title and content fields of a "Posts > Add New" action, and during creation of new t
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36648
GHSA-v675-74rr-5jfh