Description
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the className, classHook, and blockId attributes in the Add to Cart block (essential-blocks/add-to-cart) in all versions up to, and including, 6.0.4. This is due to insufficient output escaping in the render_callback() function where these attributes are placed into class and data-id HTML attributes using raw sprintf() and implode() without esc_attr() escaping. While the outer wrapper div uses get_block_wrapper_attributes() which properly escapes, the inner divs do not. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-02
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Essential Blocks – Page Builder for Gutenberg exposes a stored Cross‑Site Scripting flaw. The Add to Cart block accepts className, classHook, and blockId attributes without escaping before inserting them into class and data-id HTML attributes. This lets an authenticated Contributor or higher inject arbitrary JavaScript that executes when a page containing the block is loaded, potentially compromising user sessions, defacing content, or stealing sensitive data. The weakness is a classic unchecked input leading to content injection, classified as CWE‑79.

Affected Systems

The vulnerability exists in all releases of the Gutenberg Essential Blocks plugin up to and including version 6.0.4. WordPress sites using this plugin with any Contributor‑level or higher account are impacted. Versions 6.1.0 and later have applied the fix and are not affected.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score is not available, making the exact likelihood of exploitation uncertain. The vulnerability is not listed in the CISA KEV catalogue. Because the flaw requires authenticated access with Contributor-level privileges, an attacker must first gain legitimate site login, then add or modify a block on a page. Once injected, the payload runs in all browsers that load the affected page. Given the moderate CVSS and the necessity of authentication, the overall risk is significant for sites where Contributors have extensive block‑editing rights. Administrators should consider the threat sufficient to warrant immediate remediation.

Generated by OpenCVE AI on May 2, 2026 at 06:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Gutenberg Essential Blocks plugin to version 6.1.0 or later, where the Add to Cart block sanitization has been fixed.
  • If an upgrade cannot be performed immediately, remove or disable the Add to Cart block from the editor for Contributor‑level users or downgrade those users to a lower role that cannot edit blocks.
  • As a temporary measure, implement a custom filter that applies esc_attr to the className, classHook, and blockId attributes before rendering the block.

Generated by OpenCVE AI on May 2, 2026 at 06:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 05:15:00 +0000

Type Values Removed Values Added
Description The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the className, classHook, and blockId attributes in the Add to Cart block (essential-blocks/add-to-cart) in all versions up to, and including, 6.0.4. This is due to insufficient output escaping in the render_callback() function where these attributes are placed into class and data-id HTML attributes using raw sprintf() and implode() without esc_attr() escaping. While the outer wrapper div uses get_block_wrapper_attributes() which properly escapes, the inner divs do not. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Gutenberg Essential Blocks <= 6.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T04:27:44.707Z

Reserved: 2026-03-23T15:37:56.964Z

Link: CVE-2026-4658

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T05:16:00.767

Modified: 2026-05-02T05:16:00.767

Link: CVE-2026-4658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses