CVE-2026-8981 | THREATINT

Description

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

PUBLISHED Reserved 2026-05-19 | Published 2026-06-09 | Updated 2026-06-09 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status

unaffected

Any version before 4.3.0

affected

Credits

Luca Jungnickel finder

WPScan coordinator

References

wpscan.com/...rability/9815b0e6-e411-4a5c-9c63-30bad21da698/ exploit vdb-entry technical-description

cve.org (CVE-2026-8981)

nvd.nist.gov (CVE-2026-8981)

Download JSON