CVE-2026-8981 – Lazy Blocks < 4.3.0 – Admin+ Stored XSS via Custom Block Frontend HTML

CVE ID :CVE-2026-8981

Published : June 9, 2026, 6:16 a.m. | 18 minutes ago

Description :The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-9698 – DBI versions before 1.648 for Perl saved errors in a limited-sized buffer

CVE-2026-5068 – bt: l2cap le coc: remote oob write via seg counter stored in net_buf user_data

CVE-2026-44083 – QuMagie

CVE-2026-41986 – ACME File System Logic Bypass Denial of Service