GHSA-cfcv-65jq-76jwLowCVSS 3.5
The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the...
🔗 CVE IDs covered (1)
📋 Description
The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.