{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3498", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-03T20:05:42.046Z", "datePublished": "2026-04-11T01:24:59.386Z", "dateUpdated": "2026-04-13T12:27:05.181Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-11T01:24:59.386Z"}, "affected": [{"vendor": "wpblockart", "product": "BlockArt Blocks \u2013 Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "BlockArt Blocks <= 2.2.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'clientId' Block Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d0cb432-785a-4f38-830f-72b95e65aa5a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blockart-blocks/tags/2.2.15/includes/BlockTypes/QueryLoop.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/blockart-blocks/tags/2.2.15/includes/BlockTypes/PostTemplate.php#L67"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fblockart-blocks/tags/2.2.15&new_path=%2Fblockart-blocks/tags/2.3.0"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-04-10T12:03:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T12:26:50.823816Z", "id": "CVE-2026-3498", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:27:05.181Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3498", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T12:26:50.823816Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:26:59.114Z"}}], "cna": {"title": "BlockArt Blocks <= 2.2.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'clientId' Block Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpblockart", "product": "BlockArt Blocks \u2013 Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-10T12:03:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d0cb432-785a-4f38-830f-72b95e65aa5a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blockart-blocks/tags/2.2.15/includes/BlockTypes/QueryLoop.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/blockart-blocks/tags/2.2.15/includes/BlockTypes/PostTemplate.php#L67"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fblockart-blocks/tags/2.2.15&new_path=%2Fblockart-blocks/tags/2.3.0"}], "descriptions": [{"lang": "en", "value": "The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-11T01:24:59.386Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3498", "state": "PUBLISHED", "dateUpdated": "2026-04-13T12:27:05.181Z", "dateReserved": "2026-03-03T20:05:42.046Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-11T01:24:59.386Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-3498", "lastModified": "2026-04-24T18:00:32.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-11T02:16:02.117", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blockart-blocks/tags/2.2.15/includes/BlockTypes/PostTemplate.php#L67"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blockart-blocks/tags/2.2.15/includes/BlockTypes/QueryLoop.php#L43"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fblockart-blocks/tags/2.2.15&new_path=%2Fblockart-blocks/tags/2.3.0"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d0cb432-785a-4f38-830f-72b95e65aa5a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.2.15]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BlockArt Blocks \u2013 Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library", "source": "cna", "vendor": "wpblockart"}, "product": "blockart_blocks_\u2013_gutenberg_blocks,_page_builder_blocks_,wordpress_block_plugin,_sections_&_template_library", "vendor": "wpblockart"}], "analysis": {"en": {"generated_at": "2026-04-11T02:21:43.427395+00:00", "value": {"mitigation_remediation": ["Update the BlockArt Blocks plugin to version\u202f2.3.0 or newer.", "If the update cannot be performed immediately, remove Author\u2011level permissions from users or restrict access to the page editor to reduce the attack surface.", "After applying the patch, verify that no malicious script is present in the \u2018clientId\u2019 attribute of any block and confirm that the site functions correctly."], "summary": {"action": "Patch", "impact": "Stored XSS leading to arbitrary script execution"}, "threat_synthesis": {"affected_systems": "All installations of the BlockArt Blocks WordPress plugin up through and including version\u202f2.2.15 are affected. The product is distributed by the vendor WPBlockArt and is used as a Gutenberg block and page\u2011builder plugin within WordPress sites.", "description_and_impact": "The BlockArt Blocks plugin for WordPress contains a stored cross\u2011site scripting vulnerability via the \u2018clientId\u2019 block attribute. The deficiency in input sanitization and output escaping allows an authenticated user with \"Author\" or higher privileges to embed arbitrary JavaScript, which is then executed whenever any visitor loads the affected page. This flaw gives attackers the capability to manipulate or hijack the browsing session, potentially exfiltrating credentials or performing additional actions on behalf of the user, thereby violating the integrity and confidentiality of the site.", "risk_and_exploitability": "The CVSS v3.1 score of 6.4 reflects moderate severity and the presence of user\u2011level authentication. Exploitation requires only author\u2011level access, an achievable privilege on most sites, and does not require additional conditions. No EPSS score is available and the vulnerability is currently not listed in the CISA KEV catalog, but the stored nature of the flaw means the impact can be persistent for all site visitors. While not immediately exploitable by unauthenticated attackers, any user with author access can carry out the injection, making timely patching prudent."}}}}, "created": "2026-04-13T12:41:58.006654+00:00", "updated": "2026-04-13T12:56:41.956804+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpblockart", "wpblockart$PRODUCT$blockart_blocks_\u2013_gutenberg_blocks,_page_builder_blocks_,wordpress_block_plugin,_sections_&_template_library"]}