Skip to main content

WP Blockade EUVDEUVD-2026-31407

| CVE-2026-3481 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-22 Wordfence GHSA-p9mp-xq3w-289v
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 05:17 vuln.today

DescriptionCVE.org

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The function receives user input from $_GET['shortcode'], passes it through stripslashes() without any sanitization, and then outputs it directly via echo do_shortcode($shortcode) on line 393. When the input is not a valid WordPress shortcode (e.g., an HTML tag with JavaScript event handlers), do_shortcode() returns it unchanged, and it is reflected into the page without escaping. The endpoint is registered via admin_post_ (not admin_post_nopriv_), meaning it requires the user to be logged in with at minimum a Subscriber-level account. There is no nonce verification or additional capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute if they can successfully trick a user into performing an action such as clicking a link.

AnalysisAI

Reflected Cross-Site Scripting in WP Blockade - Visual Page Builder (all versions through 0.9.14) allows authenticated attackers holding at minimum a WordPress Subscriber-level account to inject arbitrary JavaScript into pages rendered in a victim's browser. The vulnerability exists in the render_shortcode_preview() function, which passes raw GET input through do_shortcode() without sanitization or output escaping - when the input is not a recognized shortcode, WordPress returns it verbatim, causing any embedded script to execute. Exploitation requires social engineering an authenticated user (e.g., an admin) into clicking a crafted link, but the low barrier to entry (Subscriber-level account) significantly widens the attacker pool on multi-user WordPress installations. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

The affected component is the render_shortcode_preview() AJAX callback in wp-blockade.php, registered via WordPress's admin_post_ hook (line 360 per Trac references), which restricts the endpoint to logged-in users only. At line 393, the function reads $_GET['shortcode'], applies stripslashes() - a data-cleaning function, not a security sanitizer - and passes the result directly to do_shortcode() before echoing the output. WordPress's do_shortcode() is designed to process registered shortcode tags; when it receives unrecognized input such as raw HTML with JavaScript event handlers (e.g., <img src=x onerror=alert(1)>), it returns the input unchanged. Because no output escaping (e.g., esc_html()) is applied before echo, the raw input is reflected into the HTTP response. The root cause maps to CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the reflected subtype. The absence of nonce verification means there is no CSRF token check that could otherwise partially limit exploitation. CPE: cpe:2.3:a:burlingtonbytes:wp_blockade_-_visual_page_builder:*:*:*:*:*:*:*:*.

RemediationAI

No vendor-released patched version has been identified in the available intelligence at time of analysis; the Trac references point only to the vulnerable 0.9.14 tag and trunk without evidence of a subsequent fix commit or tagged release. Site administrators should monitor the WordPress.org plugin page and Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/66950509-ce2a-42fe-a8b2-2a92a1b573c3) for a patched release and upgrade immediately upon availability. As a compensating control, if the shortcode preview functionality is not actively used, deactivating or removing the WP Blockade plugin eliminates the attack surface entirely with no side effects beyond losing the visual page builder feature. Alternatively, restricting access to the WordPress admin_post_ endpoint for Subscriber-level users via a WAF rule targeting the render_shortcode_preview action would prevent exploitation while preserving higher-privilege admin use; note this is non-trivial to implement correctly without breaking legitimate admin functionality. On sites with open user registration, disabling open registration to prevent unauthorized Subscriber account creation raises the practical exploitation bar.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-31407 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy