CVE-2026-8981 PUBLISHED

Lazy Blocks < 4.3.0 - Admin+ Stored XSS via Custom Block Frontend HTML

Assigner: WPScan
Reserved: 19.05.2026 Published: 09.06.2026 Updated: 09.06.2026

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

Product Status

Vendor	Unknown
Product	Custom Block Builder
Versions	Default: unaffected affected from 0 to 4.3.0 (excl.)

Credits

Luca Jungnickel finder
WPScan coordinator

References

https://wpscan.com/vulnerability/9815b0e6-e411-4a5c-9c63-30bad21da698/

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE