Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
WordPress Post Blocks & Tools plugin allows malicious scripts on pages
CVE-2026-5711
Summary
The Post Blocks & Tools plugin for WordPress has a security flaw that allows attackers to inject malicious scripts on pages. This means that if an attacker has permission to edit a page, they can add code that will run on the page when others visit it. To protect your site, update the Post Blocks & Tools plugin to the latest version or remove it if possible.
Original title
The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0...
Original description
The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.3.0/src/blocks/post...
- https://plugins.trac.wordpress.org/browser/bnm-blocks/tags/1.3.1/src/blocks/post...
- https://plugins.trac.wordpress.org/browser/bnm-blocks/trunk/src/blocks/posts/sli...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/aeada6dc-0851-45e8-ada...
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026