Description
The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Content Blocks (Custom Post Widget) plugin. The plugin’s content_block shortcode does not properly sanitize or escape user‑supplied content, allowing an authenticated user with contributor or higher privileges to embed malicious JavaScript. When a user accesses a page containing the injected shortcode, the script executes in the victim’s browser, potentially enabling credential theft, session hijacking, or other client‑side attacks. This weakness is classified as CWE‑79.

Affected Systems

WordPress installations running the vanderwijk:Content Blocks (Custom Post Widget) plugin in any version up to and including 3.3.9 are affected. Sites that grant contributor or higher level permissions are at risk because such users can insert the harmful content.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity, and the lack of EPSS data means the current exploitation probability cannot be quantified; however, the vulnerability is not listed in the CISA KEV catalog. The attack vector requires valid credentials, and since many sites use contributor accounts, the real‑world risk is non‑negligible. Updating to a fixed release or disabling the content_block shortcode effectively eliminates the stored XSS threat.

Generated by OpenCVE AI on April 18, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Content Blocks (Custom Post Widget) plugin to a version newer than 3.3.9 (preferably the latest release).
  • Remove or disable the content_block shortcode from any pages or posts until a secure version is deployed.
  • Restrict or remove Contributor and higher roles from sites where the plugin is active until a fix or upgrade is applied.

Generated by OpenCVE AI on April 18, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Johan Van Der Wijk
Johan Van Der Wijk content Blocks Custom Post Widget
Wordpress
Wordpress wordpress
Vendors & Products Johan Van Der Wijk
Johan Van Der Wijk content Blocks Custom Post Widget
Wordpress
Wordpress wordpress

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 18 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Content Blocks (Custom Post Widget) <= 3.3.9 - Authenticated (Author+) Stored Cross-Site Scripting via content_block Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Johan Van Der Wijk Content Blocks Custom Post Widget
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-20T13:48:40.598Z

Reserved: 2026-01-13T13:49:58.337Z

Link: CVE-2026-0894

cve-icon Vulnrichment

Updated: 2026-04-20T13:48:31.843Z

cve-icon NVD

Status : Received

Published: 2026-04-18T10:16:12.093

Modified: 2026-04-18T10:16:12.093

Link: CVE-2026-0894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:58:45Z

Weaknesses