WordPress Plugin Vulnerabilities

Blocks < 25.09.30.1006 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
blocks
Fixed in 25.09.30.1006

References

CVE
CVE-2023-44262
URL
https://patchstack.com/database/wordpress/plugin/blocks/vulnerability/wordpress-blocks-plugin-1-6-41-cross-site-scripting-xss

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rio Darmawan
Verified
No
WPVDB ID
92ee1371-f977-4bea-bae6-048edc549d20

Timeline

Publicly Published
2023-10-02 (about 2 years ago)
Added
2023-10-02 (about 2 years ago)
Last Updated
2025-10-07 (about 5 months ago)

Other

Published
Title
Published
2025-01-16
Title
Magic Google Maps <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-03-20
Title
Tour & Activity Operator Plugin for TourCMS <= 1.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2017-07-24
Title
Simple Custom CSS and JS <= 3.3 - Authenticated Cross-Site Scripting (XSS)
Published
2022-12-19
Title
Table of Contents Plus < 2212 - Contributor+ Stored XSS
Published
2026-02-13
Title
myCred < 2.9.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode