PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6740 posimyththemes CVE debrief

The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. The vulnerability has a CVSS score of 6.4 and a severity of MEDIUM. Users of the plugin should be aware of this vulnerability and take necessary actions to protect their sites.

Vendor
posimyththemes
Product
Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Users of the Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress, particularly those with contributor-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites. This includes updating the plugin to a version that fixes the vulnerability, implementing additional security measures, and monitoring their WordPress site for suspicious activity.

Technical summary

The CVE-2026-6740 vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress. The vulnerability exists in all versions up to, and including, 4.7.4, and is caused by insufficient input sanitization and output escaping in the 'commentIcon' parameter. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. The vulnerability has a CVSS score of 6.4 and a severity of MEDIUM.

Defensive priority

Medium priority due to the CVSS score of 6.4 and the potential for authenticated attackers to inject malicious scripts.

Recommended defensive actions

  • Update the Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin to a version that fixes the vulnerability.
  • Implement additional security measures such as input validation and output encoding to prevent similar vulnerabilities.
  • Monitor your WordPress site for suspicious activity and ensure that all user accounts have strong passwords and minimal privileges.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-08T13:16:57.653Z and was last modified on 2026-07-08T18:16:35.223Z. The NVD entry is currently Deferred. There may be additional information available from the vendor or other sources that could help defenders verify and mitigate this vulnerability. However, the current information is limited, and defenders should exercise caution when assessing and mitigating this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T13:16:57.653Z and has not been modified since then. The NVD entry is currently Deferred.