{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5711", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-06T16:50:02.968Z", "datePublished": "2026-04-08T21:25:26.850Z", "dateUpdated": "2026-04-08T21:25:26.850Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T21:25:26.850Z"}, "affected": [{"vendor": "pubudu-malalasekara", "product": "Post Blocks & Tools", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aeada6dc-0851-45e8-ada9-ff0427b7f17a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.3.0/src/blocks/posts/slider/view.php#L237"}, {"url": "https://plugins.trac.wordpress.org/browser/bnm-blocks/trunk/src/blocks/posts/slider/view.php#L237"}, {"url": "https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.3.1/src/blocks/posts/slider/view.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3500959%40bnm-blocks%2Ftrunk&old=3456918%40bnm-blocks%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-04-06T17:06:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-08T09:11:09.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-5711", "lastModified": "2026-04-08T22:16:24.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T22:16:24.543", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.3.0/src/blocks/posts/slider/view.php#L237"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.3.1/src/blocks/posts/slider/view.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bnm-blocks/trunk/src/blocks/posts/slider/view.php#L237"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3500959%40bnm-blocks%2Ftrunk&old=3456918%40bnm-blocks%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aeada6dc-0851-45e8-ada9-ff0427b7f17a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Post Blocks & Tools", "source": "cna", "vendor": "pubudu-malalasekara"}, "product": "post_blocks_&_tools", "vendor": "pubudu-malalasekara"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T22:25:27.786555+00:00", "value": {"mitigation_remediation": ["Update Post Blocks & Tools to version 1.3.1 or a later release that removes the unescaped sliderStyle attribute.", "If an update cannot be applied immediately, remove or disable the Posts Slider block from the site to eliminate the attack surface.", "Verify that no residual sliderStyle attributes containing malicious content remain in the database or page content.", "Audit user accounts to confirm that only trusted users possess author or higher roles.", "Consider implementing a site\u2011wide security plugin that enforces strict content sanitization and monitors for XSS attempts."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Post Blocks & Tools plugin installed version 1.3.0 or older are impacted. The defect is present in all releases up to and including 1.3.0. Updating to 1.3.1 or later removes the flaw.", "description_and_impact": "The Post Blocks & Tools plugin for WordPress permits authenticated users with author privileges or higher to inject arbitrary JavaScript into the sliderStyle block attribute of the Posts Slider block. Because the plugin fails to sanitize input or escape output when rendering the attribute, the injected code is stored in the database and will execute in every browser that loads affected pages. This vulnerability allows attackers to run malicious scripts in victims\u2019 browsers, potentially facilitating session hijacking, credential theft, defacement, or phishing.", "risk_and_exploitability": "The CVSS score of 6.4 classifies the issue as medium severity. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires author\u2011level authentication, so attackers must have legitimate access to the WordPress installation. Once authenticated, they can trivially inject payloads via the sliderStyle attribute; no additional privileges or elevated privileges are needed beyond author rights. Although the vulnerability does not grant remote code execution, it can facilitate a wide range of XSS\u2011based attacks."}}}}, "created": "2026-04-09T08:16:34.563274+00:00", "updated": "2026-04-09T08:26:00.581121+00:00", "vendors": ["pubudu-malalasekara", "pubudu-malalasekara$PRODUCT$post_blocks_&_tools", "wordpress", "wordpress$PRODUCT$wordpress"]}