CVE Catalog

CVE-2026-8981

LowCVSS 3.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

8th percentile — higher than 8% of all known CVEs

Summary

The Custom Block Builder WordPress plugin before version 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields. This allows administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

Risk Assessment

The risk involves the potential for injecting malicious JavaScript code, which could lead to user data theft or session hijacking. Such a vulnerability can severely damage the organization's reputation and user trust.

Recommendation

It is recommended to update the Custom Block Builder plugin to version 4.3.0 or later to mitigate this vulnerability. Additionally, conducting an audit of administrator permissions in multisite installations is advisable.

Original NVD description (English source)

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS