JavaScript Injection Vulnerability in Custom Block Builder Plugin for WordPress
CVE-2026-8981
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 9 June 2026
Badges
What is CVE-2026-8981?
The Custom Block Builder plugin for WordPress prior to version 4.3.0 fails to correctly validate the unfiltered_html capability for all paths writing to block template code fields. This oversight permits administrators on multisite setups, or on single-site installations with DISALLOW_UNFILTERED_HTML defined, to inject malicious JavaScript. Such scripts execute for any visitor viewing pages that incorporate the compromised block, thereby posing a serious security risk.
Affected Version(s)
Custom Block Builder 0 < 4.3.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved