CVE-2026-6378

MEDIUM 6.4

Maxi Blocks <= 2.1.9 - Authenticated (Author+) Stored Cross-Site Scripting via Style Card REST API

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

0th

The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the `sc_styles` parameter. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute on every page where the plugin's style card styles are loaded, including across the entire WordPress admin panel.

CWE	CWE-79
Vendor	ckp267
Product	maxiblocks builder \| 17,000+ design assets, patterns, icons & starter sites
Published	May 2, 2026

Stay Ahead of the Next One

Get instant alerts for ckp267 maxiblocks builder | 17,000+ design assets, patterns, icons & starter sites

Be the first to know when new medium vulnerabilities affecting ckp267 maxiblocks builder | 17,000+ design assets, patterns, icons & starter sites are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

ckp267 / MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites

0 ≤ 2.1.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Athiwat Tiprasaharn