PT-2026-42723 · WordPress · Wp Blockade

Youcef Hamdani

·

Published

2026-05-22

·

Updated

2026-05-28

·

CVE-2026-3481

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions WP Blockade versions prior to 0.9.15
Description The plugin is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing attackers to execute scripts in the victim's browser. The issue exists in the render shortcode preview() function, which processes the shortcode parameter from the $ GET request. The function uses stripslashes() but fails to perform sufficient input sanitization or output escaping before passing the data to do shortcode(). If the input is not a valid WordPress shortcode, it is reflected directly into the page. This requires the attacker to be authenticated with at least a Subscriber-level account, as the endpoint is registered via admin post and lacks nonce verification or capability checks.
Recommendations Update to a version later than 0.9.14. As a temporary workaround, restrict access to the render shortcode preview() function or avoid using the shortcode parameter until the update is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-3481

Affected Products

Wp Blockade