CVE-2026-4125
Stored XSS in WPMK Block Plugin via Unsanitized Shortcode Attribute
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wpmk_block | to 1.0.1 (inc) |
| wpmarketplace | wpmk_block | to 1.0.1 (inc) |
| wpmk_block | wpmk_block | to 1.0.1 (inc) |
| wpmk_block | plugin | to 1.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WPMK Block plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its 'class' shortcode attribute in all versions up to 1.0.1. This happens because the plugin does not properly sanitize or escape user input for this attribute. Specifically, the 'class' attribute is taken from user input and directly inserted into an HTML div element's class attribute without escaping, allowing attackers with Contributor-level access or higher to inject malicious scripts that execute when other users view the affected pages.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with Contributor-level access or above to inject arbitrary malicious scripts into pages. These scripts execute in the browsers of users who visit the infected pages, potentially leading to theft of sensitive information, session hijacking, defacement, or other malicious actions. Because the attack is stored, the malicious code persists and affects all users who access the compromised content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting via the 'class' shortcode attribute in the WPMK Block plugin for WordPress. Detection involves identifying if your WordPress installation uses the WPMK Block plugin version 1.0.1 or earlier.
You can check the installed plugin version using WordPress CLI commands or by inspecting the plugin files.
- Run the command: wp plugin list | grep wpmk-block to see if the plugin is installed and its version.
- Search for suspicious shortcode usage in your WordPress content database that includes the 'class' attribute in wpmk_block shortcodes, which might indicate exploitation attempts.
- Use database queries such as: SELECT post_content FROM wp_posts WHERE post_content LIKE '%[wpmk_block%class=%'; to find posts containing the vulnerable shortcode attribute.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WPMK Block plugin to a version later than 1.0.1 where the issue is fixed.
If an update is not available, restrict Contributor-level and higher user access temporarily to prevent exploitation.
Review and sanitize any user-supplied shortcode attributes in your WordPress content, especially those using the 'class' attribute in wpmk_block shortcodes.
Consider applying manual patches or input sanitization in the wpmk_block_shortcode() function to escape the 'class' attribute properly (e.g., using esc_attr()).
Monitor your site for unusual script injections or unexpected behavior on pages using the wpmk_block shortcode.