CVE-2026-3481

Name of the Vulnerable Software and Affected Versions WP Blockade versions prior to 0.9.15

Description The plugin is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing attackers to execute scripts in the victim's browser. The issue exists in the render shortcode preview() function, which processes the shortcode parameter from the $ GET request. The function uses stripslashes() but fails to perform sufficient input sanitization or output escaping before passing the data to do shortcode(). If the input is not a valid WordPress shortcode, it is reflected directly into the page. This requires the attacker to be authenticated with at least a Subscriber-level account, as the endpoint is registered via admin post and lacks nonce verification or capability checks.

Recommendations Update to a version later than 0.9.14. As a temporary workaround, restrict access to the render shortcode preview() function or avoid using the shortcode parameter until the update is applied.