Recipe Card Blocks Lite <= 3.4.13 - Authenticated (Author+) Stored Cross-Site Scripting via 'summary' and 'notes'
CVE-2026-3011

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Recipe Card Blocks Lite
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-3011?

The Recipe Card Blocks Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the recipe block's 'summary' and 'notes' attributes in all versions up to, and including, 3.4.13. This is due to the 'WPZOOM_Helpers::deserialize_block_attributes' method converting unicode-encoded sequences back into HTML characters after sanitization has already been applied. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the published post or the print view of an injected recipe.

Affected Version(s)

Recipe Card Blocks Lite 0 <= 3.4.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/recipe-card-bl...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
Feb 23, 2026

Credit

Athiwat Tiprasaharn

Itthidej Aramsri

CVE-2026-3011 Data

JSON