CVE-2026-8981: CWE-79 Cross-Site Scripting (XSS) in Custom Block Builder
CVE-2026-8981 is a cross-site scripting (XSS) vulnerability in the Custom Block Builder WordPress plugin versions before 4. 3. 0. It arises because the plugin does not consistently enforce the unfiltered_html capability checks when writing to block template code fields. This allows administrators on multisite installations or single-site installs with DISALLOW_UNFILTERED_HTML defined to inject arbitrary JavaScript. The injected script executes for any visitor viewing pages containing the affected block. No official patch or remediation guidance is currently available, and no known exploits are reported in the wild.
AI Analysis
Technical Summary
The Custom Block Builder WordPress plugin prior to version 4.3.0 contains a CWE-79 Cross-Site Scripting vulnerability due to inconsistent enforcement of the unfiltered_html capability across code paths that write to block template fields. This flaw permits administrators on multisite setups or single-site installs with DISALLOW_UNFILTERED_HTML enabled to inject arbitrary JavaScript code. The malicious script executes in the context of any visitor accessing pages embedding the compromised block, potentially leading to client-side code execution. There is no CVSS score assigned, no patch or official remediation level indicated, and no known active exploitation.
Potential Impact
The vulnerability enables administrators with certain configurations to inject arbitrary JavaScript that executes in the browsers of visitors to pages containing the affected block. This could lead to typical XSS impacts such as session hijacking, defacement, or redirection, but only if an attacker has administrative privileges on the affected WordPress installation. No evidence of exploitation in the wild is reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should be cautious about the use of the Custom Block Builder plugin in multisite environments or where DISALLOW_UNFILTERED_HTML is defined. Limiting administrative access and monitoring plugin updates is recommended.
CVE-2026-8981: CWE-79 Cross-Site Scripting (XSS) in Custom Block Builder
Description
CVE-2026-8981 is a cross-site scripting (XSS) vulnerability in the Custom Block Builder WordPress plugin versions before 4. 3. 0. It arises because the plugin does not consistently enforce the unfiltered_html capability checks when writing to block template code fields. This allows administrators on multisite installations or single-site installs with DISALLOW_UNFILTERED_HTML defined to inject arbitrary JavaScript. The injected script executes for any visitor viewing pages containing the affected block. No official patch or remediation guidance is currently available, and no known exploits are reported in the wild.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Custom Block Builder WordPress plugin prior to version 4.3.0 contains a CWE-79 Cross-Site Scripting vulnerability due to inconsistent enforcement of the unfiltered_html capability across code paths that write to block template fields. This flaw permits administrators on multisite setups or single-site installs with DISALLOW_UNFILTERED_HTML enabled to inject arbitrary JavaScript code. The malicious script executes in the context of any visitor accessing pages embedding the compromised block, potentially leading to client-side code execution. There is no CVSS score assigned, no patch or official remediation level indicated, and no known active exploitation.
Potential Impact
The vulnerability enables administrators with certain configurations to inject arbitrary JavaScript that executes in the browsers of visitors to pages containing the affected block. This could lead to typical XSS impacts such as session hijacking, defacement, or redirection, but only if an attacker has administrative privileges on the affected WordPress installation. No evidence of exploitation in the wild is reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should be cautious about the use of the Custom Block Builder plugin in multisite environments or where DISALLOW_UNFILTERED_HTML is defined. Limiting administrative access and monitoring plugin updates is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-05-19T13:11:53.990Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a27adb3e29bf47b504f94cb
Added to database: 6/9/2026, 6:07:47 AM
Last enriched: 6/9/2026, 6:18:51 AM
Last updated: 6/9/2026, 7:58:22 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.