The Services Section Block plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'link' block attribute, affecting all versions up to 1.4.4. Authenticated attackers with contributor-level access can inject web scripts, which execute when users access injected pages. The payload is stored in HTML comments within post_content, bypassing wp_kses_post sanitization.
CVE-2026-39579 is a high-severity vulnerability in the B Blocks plugin, affecting versions up to 2.0.31. The vulnerability allows for contributor privilege escalation, with a CVSS score of 8.8. The CVE was published on 2026-06-15T21:16:47.553Z and last modified on 2026-06-15T21:24:32.790Z. The vendor and product information is currently unknown, but evidence suggests a connection to Patchstack.
CVE-2026-53736 is a medium-severity cross-site request forgery vulnerability in Easy Twitter Feeds before version 1.2.13. The vulnerability exists in the duplicate_post action handler, which lacks nonce verification. This allows an attacker to trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type. The Common Vulnerability Scoring System (CVSS) score for [truncated]
CVE-2026-24520 is a Missing Authorization vulnerability in the bPlugins Tiktok Feed WordPress plugin, affecting versions up to and including 1.0.24. The vulnerability allows exploitation of incorrectly configured access control security levels, enabling authenticated attackers with low privileges to perform unauthorized actions. The issue was published in the NVD on May 26, 2026, with a CVSS 3.1 score of [truncated]