CVE-2026-9629

Vulnerability

The Canvas plugin for WordPress, in all versions up to and including 2.5.2, contains a stored cross-site scripting (XSS) vulnerability in the tag parameter. The issue arises from insufficient input sanitization and output escaping within the custom blocks functionality, as seen in the code at gutenberg/custom-blocks/index.php [1].

Exploitation

An authenticated attacker with at least contributor-level access can inject arbitrary web scripts by supplying malicious input to the tag parameter. The injected script is stored on the server and executed when any user, including administrators, visits the affected page.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to session hijacking, defacement of the site, theft of sensitive data, or further compromise of the WordPress installation.

Mitigation

As of the publication date, no patched version has been released. Users are advised to disable the Canvas plugin or implement a web application firewall rule to block malicious tag parameter values until an official fix is available.