CVE-2026-3004: XSS in Snow Monkey Blocks WordPress Plugin
Platform
wordpress
Component
snow-monkey-blocks
Fixed in
24.1.12
CVE-2026-3004 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Snow Monkey Blocks plugin for WordPress. This vulnerability allows authenticated attackers, possessing Contributor-level access or higher, to inject arbitrary web scripts. The vulnerability affects versions from 0.0.0 through 24.1.11, and a patch is available in version 24.1.12.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-3004 enables an attacker to execute malicious JavaScript code within the context of a user's browser when they visit a compromised page. This can lead to various consequences, including session hijacking, redirection to phishing sites, defacement of the website, and theft of sensitive user data such as cookies and login credentials. The impact is amplified if the injected script targets administrators or users with elevated privileges, potentially granting the attacker control over the entire WordPress installation. The attacker's ability to inject scripts via the 'data-slick' attribute highlights the importance of proper input sanitization and output escaping in WordPress plugin development.
Exploitation Context
CVE-2026-3004 was published on May 13, 2026. Severity is currently assessed as Medium. No public exploits or active campaigns targeting this vulnerability have been reported at the time of writing. It is not currently listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-3004 is to immediately upgrade the Snow Monkey Blocks plugin to version 24.1.12 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious payloads targeting the 'data-slick' attribute. Additionally, review and harden WordPress user roles and permissions to limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through the plugin's data-slick functionality and verifying that it is properly sanitized and does not execute.
How to fix
Update to version 24.1.12, or a newer patched version
Frequently asked questions
What is CVE-2026-3004 — XSS in Snow Monkey Blocks?
CVE-2026-3004 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Snow Monkey Blocks WordPress plugin, allowing authenticated users to inject malicious scripts. It impacts versions 0.0.0–24.1.11.
Am I affected by CVE-2026-3004 in Snow Monkey Blocks?
You are affected if your WordPress site uses the Snow Monkey Blocks plugin and is running a version prior to 24.1.12. Check your plugin version immediately.
How do I fix CVE-2026-3004 in Snow Monkey Blocks?
Upgrade the Snow Monkey Blocks plugin to version 24.1.12 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation if immediate upgrade is not possible.
Is CVE-2026-3004 being actively exploited?
As of the current assessment, CVE-2026-3004 is not known to be actively exploited. However, it's crucial to apply the patch promptly to prevent potential future attacks.
Where can I find the official Snow Monkey Blocks advisory for CVE-2026-3004?
Refer to the official Snow Monkey Blocks website or WordPress plugin repository for the latest advisory and update information regarding CVE-2026-3004.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...