Description
The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The scratchblocks for WP plugin contains a stored cross‑site scripting flaw caused by inadequate sanitization of the 'element' attribute in the 'scratchblocks' shortcode. Because the plugin fails to properly escape this user‑supplied attribute, an authenticated user with contributor-level access can inject arbitrary JavaScript. When a visitor opens a page that contains the maliciously crafted shortcode, the injected script runs in the visitor's browser.

Affected Systems

Vulnerability impacts the scratchblocks for WP WordPress plugin, versions up to and including 1.0.1. The affected author is tkc49. No other versions are indicated as vulnerable in the data.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity vulnerability. EPSS data is not available, and the vulnerability is not listed in CISA KEV, implying no publicly known exploitation. However, because the exploit requires only contributor‑level authentication, it is likely to be exercised by any user who can edit content. The stored payload will be executed for all site visitors who view the affected page.

Generated by OpenCVE AI on May 12, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the scratchblocks for WP plugin to a version newer than 1.0.1.
  • If no update is available, remove the scratchblocks shortcode from contributor‑level content or disable the element attribute for these users.
  • Apply site‑wide input filtering or content moderation to strip or escape any JavaScript from shortcode attributes.

Generated by OpenCVE AI on May 12, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title scratchblocks for WP <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T07:48:28.917Z

Reserved: 2026-04-13T18:05:09.654Z

Link: CVE-2026-6247

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:55.370

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-6247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T11:15:14Z

Weaknesses