Stored Cross-Site Scripting in Essential Blocks for WordPress
CVE-2026-4658

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Gutenberg Essential Blocks – Page Builder For Gutenberg Blocks & Patterns
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-4658?

The Essential Blocks plugin for WordPress is susceptible to Stored Cross-Site Scripting. This vulnerability arises from insufficient output escaping in the Add to Cart block's attributes (className, classHook, and blockId). When utilized, these attributes may permit authenticated attackers with Contributor-level access and above to inject arbitrary scripts into web pages. Consequently, these scripts will execute whenever users access the compromised pages, compromising their security and data integrity.

Affected Version(s)

Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns 0 <= 6.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/essential-bloc...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Jack Pas

darkestmode

CVE-2026-4658 Data

JSON