CVE-2026-8981
Received Received - Intake
Custom Block Builder WordPress Plugin Authenticated JavaScript Injection

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: WPScan

Description
The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-8981
EUVD
EUVD-2026-35352
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
custom_block_builder custom_block_builder to 4.3.0 (exc)
lazy_blocks lazy_blocks to 4.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8981 is a vulnerability in the Lazy Blocks WordPress plugin versions before 4.3.0. It is a stored Cross-Site Scripting (XSS) issue that arises because the plugin does not consistently check the unfiltered_html capability when writing to its block template code fields.

This flaw allows administrators on multisite installations or single-site installs with DISALLOW_UNFILTERED_HTML defined to inject arbitrary JavaScript code. The injected JavaScript executes for any visitor who views pages embedding the affected block.

An attacker with an Administrator role but without the unfiltered_html capability can exploit this by using XML-RPC to create a custom block containing malicious JavaScript, which then triggers the XSS when the page is viewed.

Impact Analysis

This vulnerability can impact you by allowing an attacker with administrator privileges (but restricted unfiltered_html capability) to inject malicious JavaScript into your website's pages.

The injected script executes in the browsers of any visitors viewing the affected pages, potentially leading to session hijacking, data theft, defacement, or other malicious actions performed on behalf of the visitor.

Since the attack is stored and triggers for all visitors of the affected block, it can have widespread impact on site users and damage the site's integrity and trustworthiness.

Detection Guidance

This vulnerability can be detected by checking if your WordPress installation is running the Lazy Blocks plugin version prior to 4.3.0, as these versions are affected.

Additionally, detection involves verifying if any custom blocks contain injected JavaScript payloads in the lazyblocks_code_frontend_html field, especially those created by administrators without the unfiltered_html capability.

A proof of concept involves using XML-RPC to create a custom block with an XSS payload, but specific detection commands are not provided in the available resources.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Lazy Blocks WordPress plugin to version 4.3.0 or later, where the issue has been fixed.

Until the update is applied, restrict administrator roles to only those with the unfiltered_html capability to prevent injection of malicious JavaScript.

Also, review and remove any suspicious custom blocks that may contain injected scripts in the lazyblocks_code_frontend_html field.

Compliance Impact

The provided information does not specify how the vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8981. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart