CVE-2026-0894: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vanderwijk Content Blocks (Custom Post Widget)
The Content Blocks (Custom Post Widget) plugin for WordPress up to version 3. 3. 9 contains a stored cross-site scripting (XSS) vulnerability. This flaw arises from insufficient input sanitization and output escaping in the plugin's content_block shortcode, allowing authenticated users with contributor-level access or higher to inject malicious scripts. These scripts execute whenever any user views the affected page, potentially compromising user sessions or data. The vulnerability has a CVSS 3. 1 base score of 6. 4, indicating a medium severity level. No official patch or remediation guidance has been provided yet, and no known exploits are reported in the wild. Users should monitor vendor advisories for updates and consider restricting contributor privileges until a fix is available.
AI Analysis
Technical Summary
CVE-2026-0894 is a stored cross-site scripting vulnerability in the Content Blocks (Custom Post Widget) WordPress plugin, affecting all versions up to 3.3.9. The vulnerability is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied content in the content_block shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that execute in the context of users viewing the compromised pages. This can lead to limited confidentiality and integrity impacts but does not affect availability. The CVSS 3.1 score is 6.4 (medium severity). No patch or official remediation has been published as of the data provided.
Potential Impact
An attacker with contributor-level or higher privileges can inject malicious scripts into pages via the vulnerable shortcode. These scripts execute in the browsers of users who view the infected pages, potentially allowing theft of user credentials, session tokens, or other sensitive information. The impact is limited to confidentiality and integrity, with no direct availability impact. Since exploitation requires authenticated access, the risk is mitigated somewhat by access controls but remains significant in environments with multiple contributors.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, limit contributor-level access to trusted users only. Avoid using the content_block shortcode with untrusted content. Monitor official vendor channels for updates and apply patches promptly once released.
CVE-2026-0894: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vanderwijk Content Blocks (Custom Post Widget)
Description
The Content Blocks (Custom Post Widget) plugin for WordPress up to version 3. 3. 9 contains a stored cross-site scripting (XSS) vulnerability. This flaw arises from insufficient input sanitization and output escaping in the plugin's content_block shortcode, allowing authenticated users with contributor-level access or higher to inject malicious scripts. These scripts execute whenever any user views the affected page, potentially compromising user sessions or data. The vulnerability has a CVSS 3. 1 base score of 6. 4, indicating a medium severity level. No official patch or remediation guidance has been provided yet, and no known exploits are reported in the wild. Users should monitor vendor advisories for updates and consider restricting contributor privileges until a fix is available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-0894 is a stored cross-site scripting vulnerability in the Content Blocks (Custom Post Widget) WordPress plugin, affecting all versions up to 3.3.9. The vulnerability is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied content in the content_block shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that execute in the context of users viewing the compromised pages. This can lead to limited confidentiality and integrity impacts but does not affect availability. The CVSS 3.1 score is 6.4 (medium severity). No patch or official remediation has been published as of the data provided.
Potential Impact
An attacker with contributor-level or higher privileges can inject malicious scripts into pages via the vulnerable shortcode. These scripts execute in the browsers of users who view the infected pages, potentially allowing theft of user credentials, session tokens, or other sensitive information. The impact is limited to confidentiality and integrity, with no direct availability impact. Since exploitation requires authenticated access, the risk is mitigated somewhat by access controls but remains significant in environments with multiple contributors.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, limit contributor-level access to trusted users only. Avoid using the content_block shortcode with untrusted content. Monitor official vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-01-13T13:49:58.337Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e350febdfbbecc5928ea75
Added to database: 4/18/2026, 9:38:06 AM
Last enriched: 4/18/2026, 9:53:07 AM
Last updated: 4/18/2026, 11:44:44 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.