Description
The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configurablePrefix' Block Attribute in all versions up to, and including, 6.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-25
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Gutenberg Essential Blocks plugin for WordPress allows a stored cross‑site scripting vulnerability through the ‘configurablePrefix’ block attribute. This vulnerability arises from insufficient input sanitization and output escaping, enabling authenticated users with Contributor or higher privileges to embed arbitrary JavaScript that will run whenever a page containing the injected block is viewed. Successful exploitation can lead to defacement, session hijacking, or malicious code execution on the victim’s browser, affecting the confidentiality and integrity of site content and user sessions.

Affected Systems

WordPress sites using the Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin, versions up to and including 6.1.4. The vulnerability is present in all installations of that plugin where the block attribute exists and does not require any additional plugins or configuration changes.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score is not available, making it difficult to gauge current exploit prevalence. It is not listed in the CISA KEV catalog. The attack vector requires an authenticated user with at least Contributor access, meaning it is not publicly exploitable without login credentials but is accessible to legitimate users with moderate privileges. Once injected, the payload persists until the block data is removed, so the risk persists as long as the vulnerable plugin version is in use.

Generated by OpenCVE AI on June 25, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gutenberg Essential Blocks to version 6.1.5 or later, which removes the vulnerable block attribute.
  • Remove or disable the Gutenberg Essential Blocks plugin on sites that do not require it, until a patch is applied, to eliminate the attack surface.
  • Restrict Contributor role permissions for block creation and editing, or remove Contributor users who no longer need these privileges, to limit the ability to inject payloads.

Generated by OpenCVE AI on June 25, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam gutenberg Essential Blocks – Page Builder For Gutenberg Blocks & Patterns
Vendors & Products Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam gutenberg Essential Blocks – Page Builder For Gutenberg Blocks & Patterns

Thu, 25 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configurablePrefix' Block Attribute in all versions up to, and including, 6.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Gutenberg Essential Blocks - Page Builder for Gutenberg Blocks & Patterns <= 6.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'configurablePrefix' Block Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Wordpress Wordpress
Wpdevteam Gutenberg Essential Blocks – Page Builder For Gutenberg Blocks & Patterns
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-25T12:27:38.276Z

Reserved: 2026-06-04T10:27:28.810Z

Link: CVE-2026-10833

cve-icon Vulnrichment

Updated: 2026-06-25T12:27:34.149Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T08:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')