CVE-2026-0894: XSS in Content Blocks Custom Post Widget
Platform
wordpress
Component
custom-post-widget
Fixed in
3.4.1
CVE-2026-0894 describes a Stored Cross-Site Scripting (XSS) vulnerability within the Content Blocks (Custom Post Widget) plugin for WordPress. This flaw allows authenticated attackers, possessing contributor-level access or higher, to inject arbitrary web scripts. The vulnerability impacts versions up to and including 3.3.9, and a fix is available in version 3.4.1.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-0894 allows an attacker to inject malicious JavaScript code into content blocks. When a user views a page containing the injected content block, the script executes within their browser context. This can lead to various malicious outcomes, including session hijacking, redirection to phishing sites, defacement of the website, and theft of sensitive user data. The attacker's ability to execute arbitrary code within the user's browser grants them significant control over the user's interaction with the website. The impact is amplified if the website handles sensitive information or processes financial transactions, as attackers could potentially steal credentials or manipulate data.
Exploitation Context
CVE-2026-0894 is currently not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation. Public proof-of-concept (POC) code may emerge as the vulnerability gains more visibility. The vulnerability was published on 2026-04-18, so it is relatively new. Monitor security advisories and threat intelligence feeds for any indications of exploitation campaigns targeting this vulnerability.
Threat Intelligence
Exploit Status
EPSS
0.01% (1% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-0894 is to upgrade the Content Blocks (Custom Post Widget) plugin to version 3.4.1 or later. If upgrading immediately is not feasible due to compatibility concerns or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious content blocks. Specifically, look for patterns associated with JavaScript injection attempts within the content_block shortcode parameter. Additionally, review and sanitize any user-generated content within content blocks to prevent the injection of malicious scripts. After upgrading, verify the fix by creating a new content block with a simple JavaScript payload (e.g., alert('XSS')) and confirming that the payload does not execute when the page is viewed.
How to fix
Update to version 3.4.1, or a newer patched version
Frequently asked questions
What is CVE-2026-0894 — XSS in Content Blocks Custom Post Widget?
CVE-2026-0894 is a Stored Cross-Site Scripting (XSS) vulnerability in the Content Blocks plugin for WordPress. It allows authenticated users with contributor access to inject malicious scripts via content blocks, potentially compromising website security and user data.
Am I affected by CVE-2026-0894 in Content Blocks Custom Post Widget?
You are affected if you are using the Content Blocks (Custom Post Widget) plugin for WordPress in version 3.3.9 or earlier. Upgrade to version 3.4.1 or later to mitigate the risk.
How do I fix CVE-2026-0894 in Content Blocks Custom Post Widget?
The recommended fix is to upgrade the Content Blocks plugin to version 3.4.1 or later. If immediate upgrade is not possible, implement a WAF rule to filter malicious content block usage.
Is CVE-2026-0894 being actively exploited?
Currently, there is no public indication of active exploitation, but it's a relatively new vulnerability. Monitor security advisories and threat intelligence for updates.
Where can I find the official Content Blocks advisory for CVE-2026-0894?
Refer to the official Content Blocks plugin website or the WordPress plugin repository for the latest advisory and update information regarding CVE-2026-0894.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...