CVE-2026-8981

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW UNFILTERED HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.