CVE-2026-9756
MediumCVSS 6.4Summary
The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Headline Block 'linkMetaFieldType' Dynamic Link Attribute in versions up to and including 2.2.1 due to insufficient input sanitization and output escaping.
Risk Assessment
An authenticated attacker with contributor-level access or higher can inject arbitrary web scripts that execute whenever a user accesses an injected page. The attacker can store a JavaScript payload in their profile and use the linkMetaFieldType attribute to create a malicious href that, when clicked by an administrator, may lead to session hijacking or data theft.
Recommendation
Update the GenerateBlocks plugin to the latest available version immediately to remediate this vulnerability. Until the update is applied, restrict user permissions and monitor activity related to headline blocks.
Original NVD description (English source)
The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can store a JavaScript payload in their own profile description (allowlisted by get_safe_user_meta_keys()) and prepend 'javascript:' via the linkMetaFieldType attribute, creating a fully attacker-controlled href that executes when any user, including an administrator, clicks the rendered headline link.

