CVE-2026-3011

Recipe Card Blocks Lite <= 3.4.13 - Authenticated (Author+) Stored Cross-Site Scripting via 'summary' and 'notes'

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.4.14
Patched in
1d
Time to patch

Description

The Recipe Card Blocks Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the recipe block's 'summary' and 'notes' attributes in all versions up to, and including, 3.4.13. This is due to the 'WPZOOM_Helpers::deserialize_block_attributes' method converting unicode-encoded sequences back into HTML characters after sanitization has already been applied. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the published post or the print view of an injected recipe.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.4.13
PublishedJune 7, 2026
Last updatedJune 8, 2026

What Changed in the Fix

Changes introduced in v3.4.14

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating actionable exploitation material, including detailed plans for exploiting specific vulnerabilities or crafting malicious payloads for concrete targets like WordP…

Show full research plan

I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating actionable exploitation material, including detailed plans for exploiting specific vulnerabilities or crafting malicious payloads for concrete targets like WordPress plugins.

Instead, I can provide general information about the vulnerability class involved and how developers can protect their WordPress plugins from similar issues.

Understanding Stored Cross-Site Scripting (XSS)

Stored Cross-Site Scripting occurs when an application receives data from a user and includes that data in its later HTTP responses in an unsafe way. In the context of WordPress, this often happens when user-provided content (like post metadata or block attributes) is stored in the database without sufficient sanitization and then rendered on the front end or in the admin dashboard without proper context-aware escaping.

The Risk of Post-Sanitization Transformations

A common pitfall in security implementation is performing transformations on data after it has been sanitized but before it is rendered. As described in the vulnerability overview, if a method converts encoded sequences (like Unicode or HTML entities) back into their literal characters after the initial sanitization has occurred, it can inadvertently reintroduce malicious scripts that the sanitizer had previously neutralized.

To prevent this, developers should:

  1. Sanitize Early, Escape Late: Sanitize data as it enters the system (e.g., using sanitize_text_field() or wp_kses()) and escape it immediately before outputting it to the browser (e.g., using esc_html(), esc_attr(), or esc_url()).
  2. Maintain Contextual Integrity: Avoid decoding data after it has been sanitized unless you are certain the decoding process does not introduce unsafe characters.
  3. Use Correct Escaping Functions: Always use the escaping function appropriate for the output context. For example, use esc_attr() for HTML attributes and esc_html() for content within HTML tags.

Defensive Resources for WordPress Developers

For those looking to secure their WordPress plugins, the following resources are highly recommended:

  • WordPress Plugin Handbook on Security: The official guide on best practices for data validation, sanitization, and escaping.
  • OWASP XSS Prevention Cheat Sheet: A comprehensive guide on preventing various types of Cross-Site Scripting.
  • WordPress Developer Reference: Documentation for security functions like wp_kses(), esc_html(), and esc_attr().

By adhering to these principles, developers can ensure that user input is handled safely and that their plugins remain resilient against injection attacks.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Recipe Card Blocks Lite plugin for WordPress (up to version 3.4.13) is vulnerable to Stored Cross-Site Scripting via recipe block attributes such as 'summary' and 'notes'. The vulnerability arises because the `WPZOOM_Helpers::deserialize_block_attributes` method decodes Unicode-encoded sequences back into literal HTML characters after the standard sanitization process, allowing authenticated users with Author-level permissions to bypass security filters and execute arbitrary JavaScript.

Vulnerable Code

// src/classes/class-wpzoom-print-template-manager.php line 97
$recipeTitle = isset( $recipeTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $recipeTitle ) : '';

---

// src/classes/class-wpzoom-print-template-manager.php lines 111-113
WPZOOM_Recipe_Card_Block::$attributes['ingredientsTitle'] = isset( $ingredientsTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $ingredientsTitle ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_ingredients_title' );
WPZOOM_Recipe_Card_Block::$attributes['directionsTitle']  = isset( $directionsTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $directionsTitle ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_steps_title' );
WPZOOM_Recipe_Card_Block::$attributes['videoTitle']       = isset( $videoTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $videoTitle ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_video_title' );

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/recipe-card-blocks-by-wpzoom/3.4.13/readme.txt /home/deploy/wp-safety.org/data/plugin-versions/recipe-card-blocks-by-wpzoom/3.4.14/readme.txt
--- /home/deploy/wp-safety.org/data/plugin-versions/recipe-card-blocks-by-wpzoom/3.4.13/readme.txt	2025-12-26 14:14:10.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/recipe-card-blocks-by-wpzoom/3.4.14/readme.txt	2026-05-21 16:43:48.000000000 +0000
@@ -165,6 +157,9 @@
 
 == Changelog ==
 
+= 3.4.14 =
+* Minor bug fixes
+
 = 3.4.13 =
 * Bug fix with the recipe importer

Exploit Outline

To exploit this vulnerability, an authenticated attacker with at least Author-level privileges can create or edit a post containing a Recipe Card block. The attacker injects a malicious payload into the 'summary', 'notes', or recipe title attributes using Unicode-encoded sequences (e.g., `\u003cscript\u003ealert(1)\u003c/script\u003e`). Because standard WordPress block attribute sanitization does not typically flag these escaped sequences as dangerous, the payload is stored in the database. When a user views the post or accesses the print view, the plugin calls `WPZOOM_Helpers::deserialize_block_attributes()`, which converts the Unicode sequences back into literal HTML tags, causing the script to execute in the user's browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.