CVE-2026-8981
LowCVSS 3.5Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
The Custom Block Builder WordPress plugin before version 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields. This allows administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.
Risk Assessment
The risk involves the potential for injecting malicious JavaScript code, which could lead to user data theft or session hijacking. Such a vulnerability can severely damage the organization's reputation and user trust.
Recommendation
It is recommended to update the Custom Block Builder plugin to version 4.3.0 or later to mitigate this vulnerability. Additionally, conducting an audit of administrator permissions in multisite installations is advisable.
Original NVD description (English source)
The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.

