Description
The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can store a JavaScript payload in their own profile description (allowlisted by get_safe_user_meta_keys()) and prepend 'javascript:' via the linkMetaFieldType attribute, creating a fully attacker-controlled href that executes when any user, including an administrator, clicks the rendered headline link.
Published: 2026-07-03
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in GenerateBlocks allows authenticated contributors to inject arbitrary JavaScript via the headline block's linkMetaFieldType attribute. These scripts are stored and will run when any user follows the link, leading to potential data theft or credential compromise. The flaw results from insufficient input sanitization and escaping, and is classified as a stored XSS (CWE‑79).

Affected Systems

WordPress sites that use the GenerateBlocks plugin version 2.2.1 or earlier, including all versions up to that point. The plugin is maintained by edge22 and appears in the WordPress plugin repository. Affected installs are those that have the headline block enabled and the dynamic link attribute capability active.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate risk, and the EPSS score is not available, suggesting no publicly reported exploit data yet. The vulnerability is not listed in CISA's KEV catalog. The attack requires contributor‑level authentication, which is common in many multisite WordPress configurations, and leverages a stored payload that is served to all site visitors. Because the JavaScript executes on link click, the risk is limited to situations where users interact with the headline link, but it can be leveraged to hijack sessions or phish credentials.

Generated by OpenCVE AI on July 3, 2026 at 17:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GenerateBlocks release (v2.3 or later) that removes the unsanitized dynamic link attribute.
  • Restrict contributor access or disable the dynamic link feature in the current plugin version to prevent malicious payloads from being stored.
  • Audit and clean existing headline blocks for the linkMetaFieldType attribute used with attacker‑controlled hrefs before upgrading.

Generated by OpenCVE AI on July 3, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Edge22
Edge22 generateblocks
Wordpress
Wordpress wordpress
Vendors & Products Edge22
Edge22 generateblocks
Wordpress
Wordpress wordpress

Fri, 03 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can store a JavaScript payload in their own profile description (allowlisted by get_safe_user_meta_keys()) and prepend 'javascript:' via the linkMetaFieldType attribute, creating a fully attacker-controlled href that executes when any user, including an administrator, clicks the rendered headline link.
Title GenerateBlocks <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Edge22 Generateblocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-03T07:53:09.591Z

Reserved: 2026-05-27T17:55:22.344Z

Link: CVE-2026-9756

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T17:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')