CVE-2026-0894
Stored XSS in WordPress Content Blocks Plugin Allows Script Injection
Publication date: 2026-04-18
Last updated on: 2026-04-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpengine | content_blocks | to 3.3.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Content Blocks (Custom Post Widget) plugin for WordPress, specifically in versions up to and including 3.3.9. It is a Stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping of user-supplied values within the plugin's content_block shortcode.
This means that authenticated users with contributor-level access or higher can inject malicious scripts into content blocks. These scripts will then execute whenever any user accesses the affected page.
How can this vulnerability impact me? :
This vulnerability allows attackers with contributor-level access or above to inject arbitrary web scripts into pages. When other users visit these pages, the malicious scripts execute in their browsers.
- It can lead to theft of user credentials or session tokens.
- It may enable attackers to perform actions on behalf of other users.
- It can result in defacement or manipulation of website content.