PatchSiren cyber security CVE debrief
CVE-2026-8981 Custom Block Builder CVE debrief
CVE-2026-8981 is a vulnerability in the Custom Block Builder WordPress plugin before version 4.3.0. The plugin does not consistently check the unfiltered_html capability across all paths that write to its block template code fields. This allows administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block. The vulnerability has a CVSS score of 3.5 and a severity of LOW.
- Vendor
- Custom Block Builder
- Product
- Custom Block Builder
- CVSS
- LOW 3.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Administrators of WordPress multisite installations or single-site installs with DISALLOW_UNFILTERED_HTML defined who use the Custom Block Builder plugin.
Technical summary
The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.
Defensive priority
LOW
Recommended defensive actions
- Update the Custom Block Builder plugin to version 4.3.0 or later.
- Review and restrict administrative access to the WordPress installation.
Evidence notes
The vulnerability was reported by WPScan.
Official resources
-
CVE-2026-8981 CVE record
CVE.org
-
CVE-2026-8981 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-8981 was published on [2026-06-09T06:16:54.067Z](https://www.cve.org/CVERecord?id=CVE-2026-8981) and modified on [2026-06-09T13:51:18.770Z](https://nvd.nist.gov/vuln/detail/CVE-2026-8981).