Stored Cross-Site Scripting Vulnerability in Services Section Block Plugin for WordPress
CVE-2026-11402

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Services Section Block – Showcase Service Details In Grid Or Columns
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-11402?

The Services Section Block plugin for WordPress contains a vulnerability that allows authenticated users with contributor-level access or higher to perform stored cross-site scripting (XSS) attacks. This vulnerability arises from inadequate input sanitization and output escaping of the 'link' Block Attribute in all versions up to and including 1.4.4. Attackers can inject malicious web scripts that remain persistent within HTML comments in the post content. These scripts activate when users visit the affected page, executing through both the primary service link anchor and an additional title-wrapped anchor link when the linkIn option is enabled. This poses a significant risk as it compromises the security and integrity of the website.

Affected Version(s)

Services Section Block – Showcase Service Details in Grid or Columns 0 <= 1.4.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/services-secti...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Philipp Doblhofer

CVE-2026-11402 Data

JSON