CVE-2026-4658

Name of the Vulnerable Software and Affected Versions Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates versions prior to 6.0.5

Description Stored Cross-Site Scripting is possible via the className, classHook, and blockId attributes in the 'Add to Cart' block ('essential-blocks/add-to-cart'). The issue occurs in the render callback() function due to insufficient output escaping when these attributes are placed into class and data-id HTML attributes using sprintf() and implode() without esc attr() escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which execute when a user visits the affected page.

Recommendations Update to a version newer than 6.0.4.