Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS impact requires a victim to navigate to the injected page (UI:R); scope change is accurate as script executes in victim browser context (S:C); contributor authentication is required (PR:L).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Nexter Blocks - Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored cross-site scripting in the Nexter Blocks - Gutenberg Blocks, Page Builder & AI Website Builder WordPress plugin (versions through 4.7.4) enables authenticated contributors to persistently inject malicious JavaScript via the unsanitized 'commentIcon' parameter, executing in any visitor's browser on affected pages. The CVSS Scope:Changed metric reflects that attacker-controlled code crosses trust boundaries into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions on behalf of privileged users such as site administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account with at minimum contributor-level privileges, as confirmed by PR:L in the CVSS vector - anonymous or subscriber-level access is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 (Medium) reflects a network-exploitable, low-complexity flaw with a scope change, but the PR:L metric is the primary real-world limiter - an attacker must control a valid WordPress contributor account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or compromises a contributor-level WordPress account on a target site uses the Nexter Blocks tp-post-meta block to craft a post or page, embedding a malicious JavaScript payload (such as a cookie exfiltration script) into the 'commentIcon' parameter before publishing. The payload persists in the database without sanitization. … |
| Remediation | Update the Nexter Blocks plugin to a version beyond 4.7.4 via the WordPress plugin dashboard or wp-cli. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42232
GHSA-7825-vqgh-fjg4