Skip to main content

Canvas WordPress Plugin CVE-2026-9629

| EUVDEUVD-2026-36648 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-13 Wordfence GHSA-v675-74rr-5jfh
6.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Contributor credentials required (PR:L); stored payload still requires a victim to load the page (UI:R); script executes cross-context in visitor browsers (S:C).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 08:28 vuln.today
CVE Published
Jun 13, 2026 - 07:51 nvd
MEDIUM 6.4

DescriptionNVD

The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Canvas plugin for WordPress (versions ≤ 2.5.2) allows an authenticated attacker holding contributor-level access or above to inject persistent JavaScript via the unsanitized 'tag' parameter in the block-section-heading Gutenberg block. The payload is stored in the database and executes in the browser of any user who subsequently loads the compromised page, enabling session hijacking, credential theft, or malicious redirects at scale. No active exploitation is confirmed (not listed in CISA KEV), but the low privilege bar makes this a realistic threat on multi-author WordPress installations; a fix is available in version 2.5.3.

Technical ContextAI

The Canvas plugin (CPE: cpe:2.3:a:codesupplyco:canvas:*:*:*:*:*:*:*:*) extends WordPress with custom Gutenberg blocks. The root cause, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), lies in the block-section-heading render component: the 'tag' parameter accepted via the block attribute is neither sanitized on input nor escaped on output before being rendered into the HTML DOM. The vulnerable code paths are specifically identified in components/basic-elements/block-section-heading/render.php (lines 13 and 32) and the block registration in gutenberg/custom-blocks/index.php (line 798). Because the payload is stored server-side upon post save rather than reflected from a URL, it persists and fires on every page load without further attacker interaction - the hallmark of the Stored XSS variant.

RemediationAI

Update the Canvas plugin to version 2.5.3 or later immediately. The fix is documented in WordPress plugin repository changeset 3553553, which modifies components/basic-elements/block-section-heading/render.php to apply proper input sanitization and output escaping to the 'tag' parameter (https://plugins.trac.wordpress.org/changeset/3553553/canvas/trunk/components/basic-elements/block-section-heading/render.php). The changeset diff between tags/2.5.2 and tags/2.5.3 confirms the scope of the fix (https://plugins.trac.wordpress.org/changeset?old_path=%2Fcanvas/tags/2.5.2&new_path=%2Fcanvas/tags/2.5.3). If immediate patching is not possible, the most targeted compensating control is to audit and revoke contributor-level (and above) accounts for any untrusted or externally-facing users until the update is applied - this eliminates the PR:L prerequisite entirely. Sites running Wordfence with an active firewall subscription may benefit from virtual patching rules. Restricting the block-section-heading block from contributor-authored content via capability filters is a surgical workaround but requires custom code and carries maintenance overhead.

Share

CVE-2026-9629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy