Skip to main content

Generateblocks

3 CVEs product

Monthly

CVE-2026-9756 MEDIUM This Month

Stored XSS in the GenerateBlocks WordPress plugin (all versions through 2.2.1) allows contributor-level authenticated attackers to inject arbitrary JavaScript via the Headline Block's `linkMetaFieldType` dynamic link attribute, executing in the browser of any user - including site administrators - who clicks the injected headline link. The attack chains a `get_safe_user_meta_keys()` allowlist bypass with insufficient URI scheme validation to construct a fully attacker-controlled `javascript:` href. No CISA KEV listing exists at time of analysis, but Wordfence reporting and direct source code references lower the barrier to independent exploitation.

WordPress XSS Generateblocks
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-1452 MEDIUM PATCH This Month

The GenerateBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2 via Query Loop. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Information Disclosure WordPress Generateblocks
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2021-24751 MEDIUM POC This Month

The GenerateBlocks WordPress plugin before 1.4.0 does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Generateblocks
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the GenerateBlocks WordPress plugin (all versions through 2.2.1) allows contributor-level authenticated attackers to inject arbitrary JavaScript via the Headline Block's `linkMetaFieldType` dynamic link attribute, executing in the browser of any user - including site administrators - who clicks the injected headline link. The attack chains a `get_safe_user_meta_keys()` allowlist bypass with insufficient URI scheme validation to construct a fully attacker-controlled `javascript:` href. No CISA KEV listing exists at time of analysis, but Wordfence reporting and direct source code references lower the barrier to independent exploitation.

WordPress XSS Generateblocks
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The GenerateBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2 via Query Loop. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Information Disclosure WordPress +1
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The GenerateBlocks WordPress plugin before 1.4.0 does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Generateblocks
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy