Stored Cross-Site Scripting Vulnerability in WordPress Plugin by Vendor
CVE-2026-0894

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Content Blocks (custom Post Widget)
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-0894?

The Content Blocks (Custom Post Widget) plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping on user-generated content. This vulnerability allows authenticated users with contributor-level access and higher to inject malicious scripts into web pages. These scripts can be executed whenever other users access the affected pages, posing significant risks to the integrity of the website and exposing user data.

Affected Version(s)

Content Blocks (Custom Post Widget) 0 <= 3.3.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3447914/cust...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Jan 13, 2026

Credit

Muhammad Yudha - DJ

CVE-2026-0894 Data

JSON