CVE-2026-3481: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in burlingtonbytes WP Blockade – Visual Page Builder
The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The function receives user input from $_GET['shortcode'], passes it through stripslashes() without any sanitization, and then outputs it directly via echo do_shortcode($shortcode) on line 393. When the input is not a valid WordPress shortcode (e.g., an HTML tag with JavaScript event handlers), do_shortcode() returns it unchanged, and it is reflected into the page without escaping. The endpoint is registered via admin_post_ (not admin_post_nopriv_), meaning it requires the user to be logged in with at minimum a Subscriber-level account. There is no nonce verification or additional capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute if they can successfully trick a user into performing an action such as clicking a link.
AI Analysis
Technical Summary
CVE-2026-3481 is a reflected cross-site scripting vulnerability in the WP Blockade – Visual Page Builder WordPress plugin affecting all versions up to 0.9.14. The vulnerability arises in the render_shortcode_preview() function, which takes user input from the 'shortcode' GET parameter, applies stripslashes() without sanitization, and outputs it via echo do_shortcode($shortcode). If the input is not a valid shortcode, it is returned unchanged and reflected without escaping, enabling script injection. The vulnerable endpoint is accessible only to authenticated users with Subscriber-level privileges or higher, and lacks nonce verification or capability checks, increasing the risk of abuse by authenticated attackers. No known exploits are reported in the wild, and no patch or official remediation is currently documented.
Potential Impact
An authenticated attacker with at least Subscriber-level access can inject arbitrary JavaScript code via the 'shortcode' parameter, which is reflected in the page output without proper escaping. This can lead to cross-site scripting attacks that may compromise user sessions or perform actions on behalf of users who click crafted links. The vulnerability does not allow unauthenticated exploitation and does not impact availability. The CVSS score of 6.1 reflects a medium severity impact with low confidentiality and integrity impact and no availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level user capabilities if possible and monitor for plugin updates from the vendor. Since the vulnerability requires authenticated access, limiting user roles and educating users about phishing risks can reduce exploitation likelihood. Avoid clicking suspicious links that could trigger the reflected XSS. No nonce or capability checks are present, so additional hardening or custom code to validate inputs may be considered as a temporary mitigation.
CVE-2026-3481: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in burlingtonbytes WP Blockade – Visual Page Builder
Description
The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The function receives user input from $_GET['shortcode'], passes it through stripslashes() without any sanitization, and then outputs it directly via echo do_shortcode($shortcode) on line 393. When the input is not a valid WordPress shortcode (e.g., an HTML tag with JavaScript event handlers), do_shortcode() returns it unchanged, and it is reflected into the page without escaping. The endpoint is registered via admin_post_ (not admin_post_nopriv_), meaning it requires the user to be logged in with at minimum a Subscriber-level account. There is no nonce verification or additional capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute if they can successfully trick a user into performing an action such as clicking a link.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3481 is a reflected cross-site scripting vulnerability in the WP Blockade – Visual Page Builder WordPress plugin affecting all versions up to 0.9.14. The vulnerability arises in the render_shortcode_preview() function, which takes user input from the 'shortcode' GET parameter, applies stripslashes() without sanitization, and outputs it via echo do_shortcode($shortcode). If the input is not a valid shortcode, it is returned unchanged and reflected without escaping, enabling script injection. The vulnerable endpoint is accessible only to authenticated users with Subscriber-level privileges or higher, and lacks nonce verification or capability checks, increasing the risk of abuse by authenticated attackers. No known exploits are reported in the wild, and no patch or official remediation is currently documented.
Potential Impact
An authenticated attacker with at least Subscriber-level access can inject arbitrary JavaScript code via the 'shortcode' parameter, which is reflected in the page output without proper escaping. This can lead to cross-site scripting attacks that may compromise user sessions or perform actions on behalf of users who click crafted links. The vulnerability does not allow unauthenticated exploitation and does not impact availability. The CVSS score of 6.1 reflects a medium severity impact with low confidentiality and integrity impact and no availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level user capabilities if possible and monitor for plugin updates from the vendor. Since the vulnerability requires authenticated access, limiting user roles and educating users about phishing risks can reduce exploitation likelihood. Avoid clicking suspicious links that could trigger the reflected XSS. No nonce or capability checks are present, so additional hardening or custom code to validate inputs may be considered as a temporary mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-03T14:45:44.658Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0fe2c7e1370fbb4890d7b1
Added to database: 5/22/2026, 4:59:51 AM
Last enriched: 5/22/2026, 5:15:43 AM
Last updated: 5/23/2026, 6:00:56 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.