CVE-2026-5820

Name of the Vulnerable Software and Affected Versions Zypento Blocks versions prior to 1.0.7

Description The Zypento Blocks plugin for WordPress contains a Stored Cross-Site Scripting issue within the Table of Contents block. The front-end TOC rendering script reads heading text via innerText and inserts it into the page using innerHTML without proper sanitization. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages, which then execute when a user visits the affected page.

Recommendations Update the plugin to a version later than 1.0.6.