| CVE-2026-2951 | Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML | gutentor | Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor | Medium | 5.4 | 2026-04-23 02:25:21 | Deep Dive |
| CVE-2026-5820 | Zypento Blocks <= 1.0.6 - Authenticated (Author+) Stored Cross-Site Scripting via Table of Contents Block | sproutient | Zypento Blocks | Medium | 6.4 | 2026-04-22 07:45:29 | Deep Dive |
| CVE-2026-6703 | Responsive Blocks <= 2.2.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via AJAX Actions | cyberchimps | Responsive Blocks – Page Builder for Blocks & Patterns | Medium | 4.3 | 2026-04-21 06:43:59 | Deep Dive |
| CVE-2026-6675 | Responsive Blocks <= 2.2.0 - Unauthenticated Open Email Relay via REST API 'email_to' Parameter | cyberchimps | Responsive Blocks – Page Builder for Blocks & Patterns | Medium | 5.3 | 2026-04-21 02:25:40 | Deep Dive |
| CVE-2026-0894 | Content Blocks (Custom Post Widget) <= 3.3.9 - Authenticated (Author+) Stored Cross-Site Scripting via content_block Shortcode | vanderwijk | Content Blocks (Custom Post Widget) | Medium | 6.4 | 2026-04-18 09:26:52 | Deep Dive |
| CVE-2026-4801 | Page Builder Gutenberg Blocks <= 3.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via External iCal Feed Data | godaddy | Page Builder Gutenberg Blocks – CoBlocks | Medium | 6.4 | 2026-04-18 03:37:04 | Deep Dive |
| CVE-2026-0718 | Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification | wpxpo | Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX | Medium | 5.3 | 2026-04-16 07:39:51 | Deep Dive |
| CVE-2026-40728 | WordPress Magazine Blocks plugin <= 1.8.3 - Broken Access Control vulnerability | BlockArt | Magazine Blocks | 中危 | - | 2026-04-15 10:21:33 | Deep Dive |
| CVE-2026-4895 | Greenshift <= 12.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via disablelazy Attribute | wpsoul | Greenshift – animation and page builder blocks | Medium | 6.4 | 2026-04-11 01:24:59 | Deep Dive |
| CVE-2026-3498 | BlockArt Blocks <= 2.2.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'clientId' Block Attribute | wpblockart | BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | Medium | 6.4 | 2026-04-11 01:24:59 | Deep Dive |
| CVE-2026-5711 | Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute | pubudu-malalasekara | Post Blocks & Tools | Medium | 6.4 | 2026-04-08 21:25:27 | Deep Dive |
| CVE-2026-39575 | WordPress Custom Query Blocks plugin <= 5.5.0 - Cross Site Scripting (XSS) vulnerability | Ronald Huereca | Custom Query Blocks | - | - | 2026-04-08 08:30:21 | Deep Dive |
| CVE-2026-39516 | WordPress Nexter Blocks plugin <= 4.7.0 - Sensitive Data Exposure vulnerability | POSIMYTH | Nexter Blocks | - | - | 2026-04-08 08:30:15 | Deep Dive |
| CVE-2026-2826 | Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload | stellarwp | Kadence Blocks — Page Builder Toolkit for Gutenberg Editor | Medium | 4.3 | 2026-04-04 08:25:20 | Deep Dive |
| CVE-2026-2924 | Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad' | jegstudio | Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem | Medium | 6.4 | 2026-04-04 02:26:20 | Deep Dive |
| CVE-2026-2602 | Twentig <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'featuredImageSizeWidth' | twentig | Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio | Medium | 6.4 | 2026-03-29 01:24:46 | Deep Dive |
| CVE-2026-32489 | WordPress B Blocks plugin < 2.0.30 - Broken Access Control vulnerability | bPlugins | B Blocks | 中危 | - | 2026-03-25 16:14:58 | Deep Dive |
| CVE-2026-25429 | WordPress Nexa Blocks plugin <= 1.1.1 - PHP Object Injection vulnerability | wpdive | Nexa Blocks | Critical | 9.8 | 2026-03-25 16:14:49 | Deep Dive |
| CVE-2026-4373 | JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field | jetmonsters | JetFormBuilder — Dynamic Blocks Form Builder | High | 7.5 | 2026-03-21 06:45:14 | Deep Dive |
| CVE-2026-25438 | WordPress Gutenberg Blocks – Unlimited blocks For Gutenberg plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability | ThemeHunk | Gutenberg Blocks | High | 7.1 | 2026-03-19 08:34:38 | Deep Dive |