CVE-2026-5711 - Vulnerability Details

- Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute

Description

The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2026-04-08

Score: 6.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Post Blocks & Tools plugin for WordPress permits authenticated users with author privileges or higher to inject arbitrary JavaScript into the sliderStyle block attribute of the Posts Slider block. Because the plugin fails to sanitize input or escape output when rendering the attribute, the injected code is stored in the database and will execute in every browser that loads affected pages. This vulnerability allows attackers to run malicious scripts in victims’ browsers, potentially facilitating session hijacking, credential theft, defacement, or phishing.

Affected Systems

WordPress sites that have the Post Blocks & Tools plugin installed version 1.3.0 or older are impacted. The defect is present in all releases up to and including 1.3.0. Updating to 1.3.1 or later removes the flaw.

Risk and Exploitability

The CVSS score of 6.4 classifies the issue as medium severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires author‑level authentication, so attackers must have legitimate access to the WordPress installation. Once authenticated, they can trivially inject payloads via the sliderStyle attribute; no additional privileges or elevated privileges are needed beyond author rights. Although the vulnerability does not grant remote code execution, it can facilitate a wide range of XSS‑based attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pubudu-malalasekara

Post Blocks & Tools

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3.0

No data.

Vendor Product Confidence Versions

Pubudu-malalasekara

Post Blocks & Tools

100%

Version	Status	Scheme	Platform
`[0,1.3.0]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Post Blocks & Tools to version 1.3.1 or a later release that removes the unescaped sliderStyle attribute.
If an update cannot be applied immediately, remove or disable the Posts Slider block from the site to eliminate the attack surface.
Verify that no residual sliderStyle attributes containing malicious content remain in the database or page content.
Audit user accounts to confirm that only trusted users possess author or higher roles.
Consider implementing a site‑wide security plugin that enforces strict content sanitization and monitors for XSS attempts.

Generated by OpenCVE AI on April 8, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.3.0/src/blocks/posts/slider/view.php#L237
https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.3.1/src/blocks/posts/slider/view.php
https://plugins.trac.wordpress.org/browser/bnm-blocks/trunk/src/blocks/posts/slider/view.php#L237
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3500959%40bnm-blocks%2Ftrunk&old=3456918%40bnm-blocks%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/aeada6dc-0851-45e8-ada9-ff0427b7f17a?source=cve

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pubudu-malalasekara Pubudu-malalasekara post Blocks & Tools Wordpress Wordpress wordpress
Vendors & Products		Pubudu-malalasekara Pubudu-malalasekara post Blocks & Tools Wordpress Wordpress wordpress

Wed, 08 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.3.0/src/blocks/posts/slider/view.php#L237 https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.3.1/src/blocks/posts/slider/view.php https://plugins.trac.wordpress.org/browser/bnm-blocks/trunk/src/blocks/posts/slider/view.php#L237 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3500959%40bnm-blocks%2Ftrunk&old=3456918%40bnm-blocks%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/aeada6dc-0851-45e8-ada9-ff0427b7f17a?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Pubudu-malalasekara Post Blocks & Tools

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-08T21:25:26.850Z

Updated: 2026-04-08T21:25:26.850Z

Reserved: 2026-04-06T16:50:02.968Z

Link: CVE-2026-5711

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-08T22:16:24.543

Modified: 2026-04-08T22:16:24.543

Link: CVE-2026-5711

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:26:00Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object