Executive Summary

CVE-2026-6378 is a stored Cross-Site Scripting (XSS) vulnerability in the Maxi Blocks WordPress plugin, affecting all versions up to and including 2.1.9. The issue arises from insufficient input sanitization and output escaping of the 'sc_styles' parameter in the plugin's REST API endpoint `/wp-json/maxi-blocks/v1.0/style-card`. Authenticated users with Author-level access or higher can inject malicious scripts that get stored and executed on every page where the plugin's style card styles are loaded, including the entire WordPress admin panel.

The vulnerability was fixed in version 2.1.10 by adding proper sanitization using the `wp_strip_all_tags()` function to clean the 'sc_styles' parameter before processing and outputting it, preventing malicious scripts from being stored and executed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated users with Author-level access or above to inject arbitrary malicious scripts into the WordPress site. These scripts can execute on every page where the plugin's style card styles are loaded, including the WordPress admin panel.

• Execution of malicious scripts could lead to unauthorized actions within the admin panel.
• Potential theft of sensitive information such as cookies or session tokens.
• Compromise of site integrity and user trust.
• Possible further exploitation by attackers leveraging the injected scripts.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the Maxi Blocks WordPress plugin is installed and running a vulnerable version (up to and including 2.1.9). Since the vulnerability is a stored cross-site scripting (XSS) via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint, monitoring or testing this endpoint for malicious payloads can help detect exploitation attempts.

You can use curl or similar HTTP clients to test the endpoint for improper input sanitization by sending crafted requests to the REST API endpoint and observing if scripts are stored or executed.

• Example command to test the endpoint (replace URL and authentication as needed):
• curl -X POST -H "Content-Type: application/json" -d '{"sc_styles":"<script>alert(1)</script>"}' https://yourwordpresssite.com/wp-json/maxi-blocks/v1.0/style-card --user author_username:password

If the script is stored and executed in the WordPress admin panel or on pages where the style card styles load, it indicates the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Maxi Blocks plugin to version 2.1.10 or later, where the vulnerability has been fixed by properly sanitizing the `sc_styles` parameter using `wp_strip_all_tags()`.

If updating immediately is not possible, restrict Author-level and higher user access to trusted users only, as the vulnerability requires authenticated users with Author-level access or above to exploit.

Additionally, monitor and audit the REST API usage, especially the `/wp-json/maxi-blocks/v1.0/style-card` endpoint, to detect and block suspicious requests.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in the Maxi Blocks plugin allows authenticated attackers with Author-level access to inject and execute arbitrary scripts via stored cross-site scripting (XSS). This can lead to unauthorized access or manipulation of data within the WordPress admin panel.

Such unauthorized script execution could potentially expose sensitive user data or administrative functions, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information against unauthorized access or breaches.

Therefore, failure to patch this vulnerability could increase the risk of non-compliance with these standards due to potential data exposure or compromise resulting from the XSS attack.

Useful 0 Not Useful 0