Description
The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via `innerText` and inserting it into the page using `innerHTML` without proper sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (authenticated)
Action: Apply Patch
AI Analysis

Impact

The Zypento Blocks WordPress plugin suffers from a stored cross‑site scripting flaw in the Table of Contents block. The plugin’s front‑end renders heading text by reading the DOM via innerText and then writes that content back into the page using innerHTML without any sanitization. Because the block is editable by users with Author‑level or higher permissions, an attacker can inject arbitrary JavaScript that will run in the browsers of anyone who views the affected post or page.

Affected Systems

WordPress sites that utilize the Zypento Blocks plugin, specifically version 1.0.6 or any earlier release. The vulnerability is present in all releases up to and including 1.0.6.

Risk and Exploitability

This flaw has a CVSS score of 6.4, indicating a moderate severity. The EPSS score is not reported, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector requires the attacker to be authenticated with Author or higher permissions; they can then edit a post, insert malicious markup into the Table of Contents block, and cause the script to execute in the browsers of all users who view that content.

Generated by OpenCVE AI on April 22, 2026 at 10:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Zypento Blocks plugin to the latest version available from the vendor, ensuring any fix addressing the stored XSS flaw is applied.
  • If an update is not immediately possible, disable or remove the Table of Contents block from all posts so that no untrusted markup can be entered.
  • Configure a Content Security Policy that blocks inline scripts and restricts execution of JavaScript unless it is from a trusted source.

Generated by OpenCVE AI on April 22, 2026 at 10:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Sproutient
Sproutient zypento Blocks
Wordpress
Wordpress wordpress
Vendors & Products Sproutient
Sproutient zypento Blocks
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via `innerText` and inserting it into the page using `innerHTML` without proper sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Zypento Blocks <= 1.0.6 - Authenticated (Author+) Stored Cross-Site Scripting via Table of Contents Block
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Sproutient Zypento Blocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T13:06:40.883Z

Reserved: 2026-04-08T16:09:15.963Z

Link: CVE-2026-5820

cve-icon Vulnrichment

Updated: 2026-04-22T13:06:37.259Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:25.977

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-5820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:30Z

Weaknesses