CVE-2026-8981

Description

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

References

• https://wpscan.com/vulnerability/9815b0e6-e411-4a5c-9c63-30bad21da698/