CVE-2026-6378
Stored XSS in Maxi Blocks WordPress Plugin
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxi_blocks | maxi_blocks | to 2.1.9 (inc) |
| maxi_blocks | maxi_blocks | to 2.1.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6378 is a stored Cross-Site Scripting (XSS) vulnerability in the Maxi Blocks WordPress plugin, affecting all versions up to and including 2.1.9. The issue arises from insufficient input sanitization and output escaping of the 'sc_styles' parameter in the plugin's REST API endpoint `/wp-json/maxi-blocks/v1.0/style-card`. Authenticated users with Author-level access or higher can inject malicious scripts that get stored and executed on every page where the plugin's style card styles are loaded, including the entire WordPress admin panel.
The vulnerability was fixed in version 2.1.10 by adding proper sanitization using the `wp_strip_all_tags()` function to clean the 'sc_styles' parameter before processing and outputting it, preventing malicious scripts from being stored and executed.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with Author-level access or above to inject arbitrary malicious scripts into the WordPress site. These scripts can execute on every page where the plugin's style card styles are loaded, including the WordPress admin panel.
- Execution of malicious scripts could lead to unauthorized actions within the admin panel.
- Potential theft of sensitive information such as cookies or session tokens.
- Compromise of site integrity and user trust.
- Possible further exploitation by attackers leveraging the injected scripts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Maxi Blocks WordPress plugin is installed and running a vulnerable version (up to and including 2.1.9). Since the vulnerability is a stored cross-site scripting (XSS) via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint, monitoring or testing this endpoint for malicious payloads can help detect exploitation attempts.
You can use curl or similar HTTP clients to test the endpoint for improper input sanitization by sending crafted requests to the REST API endpoint and observing if scripts are stored or executed.
- Example command to test the endpoint (replace URL and authentication as needed):
- curl -X POST -H "Content-Type: application/json" -d '{"sc_styles":"<script>alert(1)</script>"}' https://yourwordpresssite.com/wp-json/maxi-blocks/v1.0/style-card --user author_username:password
If the script is stored and executed in the WordPress admin panel or on pages where the style card styles load, it indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Maxi Blocks plugin to version 2.1.10 or later, where the vulnerability has been fixed by properly sanitizing the `sc_styles` parameter using `wp_strip_all_tags()`.
If updating immediately is not possible, restrict Author-level and higher user access to trusted users only, as the vulnerability requires authenticated users with Author-level access or above to exploit.
Additionally, monitor and audit the REST API usage, especially the `/wp-json/maxi-blocks/v1.0/style-card` endpoint, to detect and block suspicious requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Maxi Blocks plugin allows authenticated attackers with Author-level access to inject and execute arbitrary scripts via stored cross-site scripting (XSS). This can lead to unauthorized access or manipulation of data within the WordPress admin panel.
Such unauthorized script execution could potentially expose sensitive user data or administrative functions, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information against unauthorized access or breaches.
Therefore, failure to patch this vulnerability could increase the risk of non-compliance with these standards due to potential data exposure or compromise resulting from the XSS attack.