Description
Contributor Cross Site Scripting (XSS) in Magazine Blocks <= 1.8.3 versions.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Contributor Cross Site Scripting (XSS) is present in the WordPress Magazine Blocks plugin, versions 1.8.3 and earlier. An attacker who can assume a contributor role may inject malicious script payloads into site content. When a visitor loads a page containing the injected script, the attacker can execute arbitrary code in that visitor’s browser, potentially stealing credentials, defacing the website, or redirecting the user to malicious sites. The vulnerability is an input validation flaw, categorized as CWE‑79.

Affected Systems

WordPress sites that use the BlockArt Magazine Blocks plugin version 1.8.3 or earlier are affected. Updating later removes the vulnerability.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium level risk. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of exploitation is uncertain. If a contributor account can be compromised or created, the attacker can directly inject the XSS payload into the site content, potentially affecting all site visitors who load the affected pages.

Generated by OpenCVE AI on June 26, 2026 at 18:10 UTC.

Remediation

Vendor Solution

Update the WordPress Magazine Blocks Plugin to the latest available version (at least 1.8.4).

OpenCVE Recommended Actions

  • Update the Magazine Blocks plugin to the publicly released 1.8.4 or newer version.
  • Review existing contributor accounts and remove any that are no longer required or restrict contributor roles to limit content that can host arbitrary HTML.
  • Implement additional input validation or sanitization in the content editing flow, such as using WordPress sanitize_text_field or a safe‑HTML filter, to block script tags and ensure only benign markup is stored.

Generated by OpenCVE AI on June 26, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Blockart
Blockart magazine Blocks
Wordpress
Wordpress wordpress
Vendors & Products Blockart
Blockart magazine Blocks
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor Cross Site Scripting (XSS) in Magazine Blocks <= 1.8.3 versions.
Title WordPress Magazine Blocks plugin <= 1.8.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Blockart Magazine Blocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T16:36:56.163Z

Reserved: 2026-06-25T08:03:24.124Z

Link: CVE-2026-57650

cve-icon Vulnrichment

Updated: 2026-06-26T16:36:52.736Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')