CVE-2026-8981
Lazy Blocks < 4.3.0 - Admin+ Stored XSS via Custom Block Frontend HTML
The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Affected products
Unknown · Custom Block Builderpublic PoCs found — 1
cve_referencewpscan.com/vulnerability/9815b0e6-e411-4a5c-9c63-30bad21da698/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →