PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3481 burlingtonbytes CVE debrief

CVE-2026-3481 describes a reflected cross-site scripting issue in the WP Blockade plugin for WordPress, affecting all versions up to and including 0.9.14. The vulnerable path is the shortcode preview flow: user-supplied input from $_GET['shortcode'] is passed through stripslashes() and then echoed via do_shortcode() without sanitization or escaping. If the input is not a valid WordPress shortcode, it can be reflected back into the page as-is. The endpoint is registered with admin_post_ and does not use a nonce or extra capability check, so the attack requires an authenticated WordPress account and can be abused to run attacker-controlled script in the context of a victim who follows a crafted link or otherwise triggers the preview action.

Vendor
burlingtonbytes
Product
WP Blockade – Visual Page Builder
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-22
Original CVE updated
2026-05-22
Advisory published
2026-05-22
Advisory updated
2026-05-22

Who should care

WordPress administrators, site owners, and security teams running the WP Blockade plugin should care most, especially sites that allow subscriber-level or other low-privilege accounts.

Technical summary

The issue is a CWE-79 reflected XSS in render_shortcode_preview(). According to the supplied sources, the function reads $_GET['shortcode'], applies stripslashes(), and outputs the result directly with echo do_shortcode($shortcode) on line 393. Wordfence’s referenced source links point to the relevant code in both the tagged 0.9.14 release and trunk, and the NVD record lists the CVSS v3.1 vector as AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The description indicates the admin_post_ handler requires a logged-in user, with at least Subscriber-level access, but lacks nonce verification and an additional capability check.

Defensive priority

Medium priority. The CVSS score is 6.1 (Medium), but impact depends on plugin exposure, presence of low-privilege accounts, and whether users can be lured into interacting with a malicious link.

Recommended defensive actions

  • Update or remove WP Blockade if you are running version 0.9.14 or earlier.
  • Review the shortcode preview handler and ensure user input is sanitized and escaped before output.
  • Add nonce verification and a stronger capability check to the admin_post_ action.
  • Restrict low-privilege account creation if the plugin is not required for those users.
  • Check for suspicious use of the shortcode preview endpoint in logs, especially requests involving unexpected HTML or script-like input.

Evidence notes

The supplied NVD record and Wordfence-linked source references support the finding. The relevant code locations are cited at wp-blockade.php lines 360 and 393 in both the tagged 0.9.14 release and trunk. The CVE record was published and modified on 2026-05-22T05:16:25.640Z. The vulnerability is classified as CWE-79, with a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The corpus indicates the endpoint is reachable through authenticated WordPress access and does not include a nonce or additional capability check.

Official resources

Publicly recorded on 2026-05-22, based on the CVE and NVD entries supplied in the source corpus. No KEV listing was provided.