Description
The SB Chart block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting for authenticated users with Contributor or higher access
Action: Apply Patch
AI Analysis

Impact

The SB Chart block plugin contains a stored XSS vulnerability that arises from insufficient input sanitization of the className parameter. When an authenticated user with Contributor privileges or higher injects malicious JavaScript via this field, the payload is saved in the database and executed each time anyone views the affected page. Attackers can hijack user sessions, deface content, or steal sensitive information, and the flaw persists until the data is removed or the plugin is updated.

Affected Systems

The vulnerability affects the SB Chart block plugin from bobbingwide, specifically all releases up to and including version 1.2.6. Users running any of these versions are at risk, while newer releases beyond 1.2.6 are not impacted.

Risk and Exploitability

With a CVSS score of 6.4 the flaw is considered moderate, and the EPSS score of < 1% indicates a low probability of exploitation in the wild. The vulnerability is not currently listed in CISA’s KEV catalog. Exploitation requires the plugin to be installed and an attacker to have at least Contributor access; the attack path involves submitting a block with a crafted className value, which is then stored and rendered for all visitors. Due to the authenticated requirement, the risk is contained to sites with exposed Contributor accounts, but the impact on the site's user base can still be significant.

Generated by OpenCVE AI on April 20, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SB Chart block to version 1.2.7 or later, which removes the vulnerability.
  • If an immediate update is not possible, restrict Contributor and higher roles from using the block, or remove the className field when rendering the content.
  • Implement server‑side sanitization of the className parameter and ensure proper output escaping to eliminate XSS vectors.

Generated by OpenCVE AI on April 20, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15034 The SB Chart block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 21 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 19 Apr 2025 09:30:00 +0000

Type Values Removed Values Added
Description The SB Chart block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SB Chart block <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:37.050Z

Reserved: 2025-04-15T19:13:50.396Z

Link: CVE-2025-3661

cve-icon Vulnrichment

Updated: 2025-04-21T14:59:24.758Z

cve-icon NVD

Status : Deferred

Published: 2025-04-19T10:15:14.200

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses