Skip to main content

Post Grid Gutenberg Blocks Postx

1 CVEs product

Monthly

CVE-2026-13253 MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Post (PostX) WordPress plugin versions up to and including 5.0.31 allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'moreResultsText' attribute of the advanced-search Gutenberg block. The root cause is a sanitization gap: the render callback applies wp_kses() which strips disallowed HTML tags but does not encode special characters like double quotes in attribute context, and the unsanitized value is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(), allowing attribute boundary escape. No public exploit code has been identified at time of analysis, and no EPSS data was provided, but the contributor-level access requirement represents the primary real-world friction point for exploitation.

WordPress XSS Post Grid Gutenberg Blocks Postx
NVD
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Post (PostX) WordPress plugin versions up to and including 5.0.31 allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'moreResultsText' attribute of the advanced-search Gutenberg block. The root cause is a sanitization gap: the render callback applies wp_kses() which strips disallowed HTML tags but does not encode special characters like double quotes in attribute context, and the unsanitized value is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(), allowing attribute boundary escape. No public exploit code has been identified at time of analysis, and no EPSS data was provided, but the contributor-level access requirement represents the primary real-world friction point for exploitation.

WordPress XSS Post Grid Gutenberg Blocks Postx
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy