CVE-2026-4801

Name of the Vulnerable Software and Affected Versions CoBlocks versions prior to 3.1.17

Description The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient output escaping of event titles, descriptions, and locations fetched from external iCal feeds within the Events block rendering function. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.

Recommendations Update the plugin to a version newer than 3.1.16.