CVE-2026-6378

Name of the Vulnerable Software and Affected Versions Maxi Blocks versions prior to 2.2.0

Description The Maxi Blocks plugin for WordPress contains a stored cross-site scripting issue. This occurs due to insufficient input sanitization and output escaping of the sc styles parameter within the '/wp-json/maxi-blocks/v1.0/style-card' REST API endpoint. Authenticated attackers with Author-level access or higher can inject arbitrary web scripts that execute on every page where the plugin's style card styles are loaded, including the entire WordPress admin panel.

Recommendations Update the plugin to a version later than 2.1.9. As a temporary workaround, restrict access to the '/wp-json/maxi-blocks/v1.0/style-card' endpoint or avoid using the sc styles parameter until the update is applied.