Description
The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-28
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The BlockArt Blocks WordPress plugin, in all versions up to and including 2.2.14, contains a stored cross‑site scripting flaw. Insufficient input sanitization and output escaping in the BlockArt Counter component allows an authenticated user with contributor‑level access or higher to inject arbitrary JavaScript into page attributes. When a user opens a page containing the injected script, the code runs in that user’s browser, enabling theft of session cookies, defacement, or further attacks against other site visitors.

Affected Systems

All WordPress sites that have the BlockArt Blocks plugin version 2.2.14 or earlier installed are affected. Site administrators should examine plugin versions through the WordPress plugin management interface to identify vulnerable installations.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate risk, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The flaw is not listed in CISA’s KEV catalog. Attackers must be authenticated with contributor or higher privileges to craft the malicious block content, typically via the Gutenberg editor or block insertion interface. Once the malicious script is stored, it executes automatically for any visitor who loads the affected page, leading to potential data theft or session hijacking.

Generated by OpenCVE AI on April 20, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BlockArt Blocks plugin to the latest release that removes the XSS vulnerability.
  • If an upgrade cannot be performed immediately, restrict contributor‑level permissions on the site or revoke contributor access from users until the fix is applied.
  • For sites that must remain on the vulnerable version, manually sanitize or escape any custom attributes used in the BlockArt Counter or related blocks to prevent injection of executable code.

Generated by OpenCVE AI on April 20, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpblockart
Wpblockart blockart Blocks
Vendors & Products Wordpress
Wordpress wordpress
Wpblockart
Wpblockart blockart Blocks

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
Description The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpblockart Blockart Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-14T15:08:54.044Z

Reserved: 2025-12-08T18:30:39.600Z

Link: CVE-2025-14283

cve-icon Vulnrichment

Updated: 2026-01-28T14:31:10.376Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T12:15:49.750

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14283

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:00:10Z

Weaknesses