CVE-2026-4658— Gutenberg Essential Blocks <= 6.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
Possible ATT&CK Techniques 3AI
T1133 · External Remote Services T1059 · Command and Scripting Interpreter T1189 · Drive-by CompromiseAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| wpdevteam | Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns | ≤ 6.0.4 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-4658
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Gutenberg Essential Blocks <= 6.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the className, classHook, and blockId attributes in the Add to Cart block (essential-blocks/add-to-cart) in all versions up to, and including, 6.0.4. This is due to insufficient output escaping in the render_callback() function where these attributes are placed into class and data-id HTML attributes using raw sprintf() and implode() without esc_attr() escaping. While the outer wrapper div uses get_block_wrapper_attributes() which properly escapes, the inner divs do not. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin Essential Blocks 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Essential Blocks 6.0.4及之前版本存在跨站脚本漏洞,该漏洞源于在render_callback()函数中对className、classHook和blockId属性输出转义不足,可能导致经过身份验
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| wpdevteam | Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns | 0 ~ 6.0.4 | - |
II. Public POCs for CVE-2026-4658
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-4658
请登录查看更多情报信息。
Blog · 1
IV. Related Vulnerabilities
- CVE-2025-11369
Essential Blocks <= 5.7.2 - Missing Authorization To Authent - CVE-2025-11270
Gutenberg Essential Blocks – Page Builder for Gutenberg Bloc - CVE-2025-11361
Essential Blocks <= 5.7.1 - Authenticated (Author+) Server-S - CVE-2025-4682
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & - CVE-2025-1664
Essential Blocks – Page Builder Gutenberg Blocks, Patterns &
Same vendor: wpdevteam
- CVE-2026-5193
Essential Addons for Elementor – Popular Elementor Templates - CVE-2026-6393
BetterDocs <= 4.3.11 - Missing Authorization to Authenticate - CVE-2026-3875
BetterDocs <= 4.3.8 - Authenticated (Contributor+) Stored Cr - CVE-2026-1512
Essential Addons for Elementor <= 6.5.9 - Authenticated (Con - CVE-2026-0554
NotificationX <= 3.1.11 - Missing Authorization to Authentic
Same weakness: CWE-79
- CVE-2026-4093
Stored XSS in Drupal 7 Term Reference Tree module (token dis - CVE-2026-8139
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via - CVE-2026-22678
Webmin < 2.641 Stored XSS via System and Server Status - CVE-2026-8203
Concrete CMS 9.5.0 and below has Stored XSS on the height pa - CVE-2026-8197
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via
V. Comments for CVE-2026-4658
No comments yet