Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 2b381a38984e · 2026-04-18T12:32:04.000Z
GHSA-23v6-h45q-rxch GHSA-jx47-j339-6qpw GHSA-vpmc-9q98-4qjf
diff --git a/advisories/unreviewed/2026/04/GHSA-23v6-h45q-rxch/GHSA-23v6-h45q-rxch.json b/advisories/unreviewed/2026/04/GHSA-23v6-h45q-rxch/GHSA-23v6-h45q-rxch.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-23v6-h45q-rxch",
+  "modified": "2026-04-18T12:30:17Z",
+  "published": "2026-04-18T12:30:17Z",
+  "aliases": [
+    "CVE-2026-0894"
+  ],
+  "details": "The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0894"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3447914/custom-post-widget"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/246dee15-82e0-4630-8d95-d2419e9eaef8?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-18T10:16:12Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-jx47-j339-6qpw/GHSA-jx47-j339-6qpw.json b/advisories/unreviewed/2026/04/GHSA-jx47-j339-6qpw/GHSA-jx47-j339-6qpw.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jx47-j339-6qpw",
+  "modified": "2026-04-18T12:30:17Z",
+  "published": "2026-04-18T12:30:17Z",
+  "aliases": [
+    "CVE-2026-2505"
+  ],
+  "details": "The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute when users interact with the injected frontend page via the 'class' shortcode attribute.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2505"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3499275/categories-images"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34fb64d5-e152-4950-9ef4-6d53a97a56fb?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-18T10:16:12Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-vpmc-9q98-4qjf/GHSA-vpmc-9q98-4qjf.json b/advisories/unreviewed/2026/04/GHSA-vpmc-9q98-4qjf/GHSA-vpmc-9q98-4qjf.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vpmc-9q98-4qjf",
+  "modified": "2026-04-18T12:30:17Z",
+  "published": "2026-04-18T12:30:17Z",
+  "aliases": [
+    "CVE-2026-2986"
+  ],
+  "details": "The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2986"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3481684/contextual-related-posts"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f59e069-a953-47b6-8106-55f55df722ed?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-18T12:16:11Z"
+  }
+}
