Skip to main content

Custom Query Blocks EUVDEUVD-2026-20223

| CVE-2026-39575 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-2mw3-cgxq-9prq
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20223
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ronald Huereca Custom Query Blocks post-type-archive-mapping allows DOM-Based XSS.This issue affects Custom Query Blocks: from n/a through <= 5.5.0.

AnalysisAI

DOM-based cross-site scripting (XSS) in Ronald Huereca Custom Query Blocks WordPress plugin version 5.5.0 and earlier allows authenticated users to inject malicious scripts via the post-type-archive-mapping functionality. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability across site boundaries (S:C). With EPSS at 0.03% and no confirmed active exploitation, this is a low-probability risk despite the medium CVSS score, indicating exploitation requires specific preconditions unlikely to occur in typical deployments.

Technical ContextAI

This vulnerability exploits improper input neutralization (CWE-79) in the post-type-archive-mapping component of the Custom Query Blocks plugin. The flaw is classified as DOM-based XSS, meaning the malicious payload is processed and injected into the document object model on the client side rather than server-side, typically arising from unsafe use of JavaScript methods like innerHTML, eval(), or document.write() without adequate sanitization. The plugin, built for WordPress, lacks sufficient escaping or Content Security Policy protections when rendering user-supplied or administrator-controlled query parameters related to archive mapping, allowing arbitrary script execution within the browser context of authenticated users.

RemediationAI

Upgrade Custom Query Blocks to a version later than 5.5.0 immediately; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/post-type-archive-mapping/vulnerability/wordpress-custom-query-blocks-plugin-5-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve) for the exact patched version number and installation instructions. As an interim workaround, restrict plugin access to trusted administrators only and limit use of the post-type-archive-mapping feature until patching is feasible. Review WordPress user roles and capabilities to ensure only essential administrators retain access to custom query configuration. Apply general XSS prevention measures site-wide via WordPress security plugins that enforce Content Security Policy headers.

Share

EUVD-2026-20223 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy