PatchSiren

bplugins CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM bplugins CVE published 2026-06-18

CVE-2026-11402

The Services Section Block plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'link' block attribute, affecting all versions up to 1.4.4. Authenticated attackers with contributor-level access can inject web scripts, which execute when users access injected pages. The payload is stored in HTML comments within post_content, bypassing wp_kses_post sanitization.

HIGH bPlugins CVE published 2026-06-15

CVE-2026-39579

CVE-2026-39579 is a high-severity vulnerability in the B Blocks plugin, affecting versions up to 2.0.31. The vulnerability allows for contributor privilege escalation, with a CVSS score of 8.8. The CVE was published on 2026-06-15T21:16:47.553Z and last modified on 2026-06-15T21:24:32.790Z. The vendor and product information is currently unknown, but evidence suggests a connection to Patchstack.

MEDIUM bplugins CVE published 2026-06-10

CVE-2026-53736

CVE-2026-53736 is a medium-severity cross-site request forgery vulnerability in Easy Twitter Feeds before version 1.2.13. The vulnerability exists in the duplicate_post action handler, which lacks nonce verification. This allows an attacker to trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type. The Common Vulnerability Scoring System (CVSS) score for [truncated]

MEDIUM bPlugins CVE published 2026-05-26

CVE-2026-24520

CVE-2026-24520 is a Missing Authorization vulnerability in the bPlugins Tiktok Feed WordPress plugin, affecting versions up to and including 1.0.24. The vulnerability allows exploitation of incorrectly configured access control security levels, enabling authenticated attackers with low privileges to perform unauthorized actions. The issue was published in the NVD on May 26, 2026, with a CVSS 3.1 score of [truncated]