CVE-2026-4125

Name of the Vulnerable Software and Affected Versions WPMK Block versions prior to 1.0.2

Description The WPMK Block plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. This occurs because the wpmk block shortcode() function fails to properly sanitize and escape the 'class' attribute within shortcodes, allowing the input to be directly concatenated into an HTML div element's class attribute.

Recommendations Update to a version newer than 1.0.1. As a temporary workaround, restrict the ability of Contributor-level users to edit shortcode attributes.