CVE-2026-0894

Name of the Vulnerable Software and Affected Versions Content Blocks (Custom Post Widget) plugin for WordPress versions prior to 3.4.0

Description Stored Cross-Site Scripting is possible via the content block shortcode due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts into pages, which execute when a user accesses the affected page.

Recommendations Update the plugin to a version later than 3.3.9.