CVE-2026-3481
Description
The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The function receives user input from $_GET['shortcode'], passes it through stripslashes() without any sanitization, and then outputs it directly via echo do_shortcode($shortcode) on line 393. When the input is not a valid WordPress shortcode (e.g., an HTML tag with JavaScript event handlers), do_shortcode() returns it unchanged, and it is reflected into the page without escaping. The endpoint is registered via admin_post_ (not admin_post_nopriv_), meaning it requires the user to be logged in with at minimum a Subscriber-level account. There is no nonce verification or additional capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute if they can successfully trick a user into performing an action such as clicking a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in WP Blockade plugin <0.9.14 via unsanitized shortcode parameter, requiring subscriber-level authentication.
Vulnerability
The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to and including 0.9.14. The vulnerability resides in the render_shortcode_preview() function, which takes user input from the $_GET['shortcode'] parameter, passes it through stripslashes() without sanitization, and then echoes the result of do_shortcode($shortcode) directly on line 393. When the input is not a valid WordPress shortcode (e.g., an HTML tag with JavaScript event handlers), do_shortcode() returns it unchanged, resulting in unescaped reflection into the page. The endpoint is accessible only to authenticated users via admin_post_ hooks, with no nonce or capability check [1][2].
Exploitation
An attacker must be authenticated with a minimum of Subscriber-level access. The attacker crafts a malicious link containing a shortcode parameter with JavaScript payload (e.g., ``). If a user (such as an administrator) clicks the link, the payload is executed in the context of the victim's browser session against the WordPress admin area. No additional user interaction beyond the click is required.
Impact
Successful exploitation allows the attacker to inject arbitrary web scripts, leading to potential session hijacking, defacement, or theft of sensitive information. The attack runs in the context of the victim's session, which can be used to perform actions on behalf of the victim, including privilege escalation if the victim is an administrator.
Mitigation
Not yet disclosed in the available references. Users of WP Blockade up to version 0.9.14 should restrict access to trusted users and monitor for updates from the plugin author. No patch has been identified as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=0.9.14+ 1 more
- (no CPE)range: <=0.9.14
- (no CPE)range: <=0.9.14
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.phpnvd
- plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.phpnvd
- plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.phpnvd
- plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/66950509-ce2a-42fe-a8b2-2a92a1b573c3nvd
News mentions
0No linked articles in our index yet.