CVE-2026-8981

LOW 3.5

Lazy Blocks < 4.3.0 - Admin+ Stored XSS via Custom Block Frontend HTML

CVSS Score

3.5

EPSS Score

0.0%

EPSS Percentile

0th

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

Vendor	unknown
Product	custom block builder
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for unknown custom block builder

Be the first to know when new low vulnerabilities affecting unknown custom block builder are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Custom Block Builder

0 < 4.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/9815b0e6-e411-4a5c-9c63-30bad21da698/

Credits

Luca Jungnickel WPScan