Lazy Blocks < 4.3.0 - Admin+ Stored XSS via Custom Block Frontend HTML
CVE-2026-8981

Currently unrated

Key Information:

Vendor: WordPress
Status: Custom Block Builder
Vendor: CVE Published:; 9 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-8981?

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

Affected Version(s)

Custom Block Builder 0 < 4.3.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-8981 - Proof of Concept

References

https://wpscan.com/vulnerability/9815b0e6-e411-4a5c-9c63-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 9, 2026
👾
Exploit known to exist
Jun 9, 2026
Vulnerability published
Jun 9, 2026
Vulnerability Reserved
May 19, 2026

Credit

Luca Jungnickel

WPScan

CVE-2026-8981 Data

JSON