{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0894", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-13T13:49:58.337Z", "datePublished": "2026-04-18T09:26:52.078Z", "dateUpdated": "2026-04-20T13:48:40.598Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-18T09:26:52.078Z"}, "affected": [{"vendor": "vanderwijk", "product": "Content Blocks (Custom Post Widget)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Content Blocks (Custom Post Widget) <= 3.3.9 - Authenticated (Author+) Stored Cross-Site Scripting via content_block Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/246dee15-82e0-4630-8d95-d2419e9eaef8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3447914/custom-post-widget"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-04-17T21:21:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T13:48:26.769572Z", "id": "CVE-2026-0894", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:48:40.598Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0894", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:48:26.769572Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:48:31.843Z"}}], "cna": {"title": "Content Blocks (Custom Post Widget) <= 3.3.9 - Authenticated (Author+) Stored Cross-Site Scripting via content_block Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "vanderwijk", "product": "Content Blocks (Custom Post Widget)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.3.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-17T21:21:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/246dee15-82e0-4630-8d95-d2419e9eaef8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3447914/custom-post-widget"}], "descriptions": [{"lang": "en", "value": "The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-18T09:26:52.078Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0894", "state": "PUBLISHED", "dateUpdated": "2026-04-20T13:48:40.598Z", "dateReserved": "2026-01-13T13:49:58.337Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-18T09:26:52.078Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-0894", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-18T10:16:12.093", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3447914/custom-post-widget"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/246dee15-82e0-4630-8d95-d2419e9eaef8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.9]"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "Content Blocks (Custom Post Widget)", "source": "cna", "vendor": "vanderwijk"}, "product": "content_blocks_custom_post_widget", "vendor": "johan_van_der_wijk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-18T17:00:17.856999+00:00", "value": {"mitigation_remediation": ["Upgrade the Content Blocks (Custom Post Widget) plugin to a version newer than 3.3.9 (preferably the latest release).", "Remove or disable the content_block shortcode from any pages or posts until a secure version is deployed.", "Restrict or remove Contributor and higher roles from sites where the plugin is active until a fix or upgrade is applied."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress installations running the vanderwijk:Content Blocks (Custom Post Widget) plugin in any version up to and including 3.3.9 are affected. Sites that grant contributor or higher level permissions are at risk because such users can insert the harmful content.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw in the Content Blocks (Custom Post Widget) plugin. The plugin\u2019s content_block shortcode does not properly sanitize or escape user\u2011supplied content, allowing an authenticated user with contributor or higher privileges to embed malicious JavaScript. When a user accesses a page containing the injected shortcode, the script executes in the victim\u2019s browser, potentially enabling credential theft, session hijacking, or other client\u2011side attacks. This weakness is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity, and the lack of EPSS data means the current exploitation probability cannot be quantified; however, the vulnerability is not listed in the CISA KEV catalog. The attack vector requires valid credentials, and since many sites use contributor accounts, the real\u2011world risk is non\u2011negligible. Updating to a fixed release or disabling the content_block shortcode effectively eliminates the stored XSS threat."}}}}, "created": "2026-04-18T17:15:05.769848+00:00", "updated": "2026-04-20T14:58:45.293888+00:00", "vendors": ["johan_van_der_wijk", "johan_van_der_wijk$PRODUCT$content_blocks_custom_post_widget", "wordpress", "wordpress$PRODUCT$wordpress"]}