Loading market data...
← Back to CVE feed

CVE-2026-8981

LOW CVSS 3.5 View on NVD ↗

Description

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Published: Jun 09, 2026 06:16 UTC Modified: Jun 09, 2026 13:51 UTC