{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4801", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-25T10:02:15.632Z", "datePublished": "2026-04-18T03:37:03.859Z", "dateUpdated": "2026-04-18T03:37:03.859Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-18T03:37:03.859Z"}, "affected": [{"vendor": "godaddy", "product": "Page Builder Gutenberg Blocks \u2013 CoBlocks", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Page Builder Gutenberg Blocks \u2013 CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via external iCal feed data in all versions up to, and including, 3.1.16 due to insufficient output escaping of event titles, descriptions, and locations fetched from external iCal feeds in the Events block rendering function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Page Builder Gutenberg Blocks <= 3.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via External iCal Feed Data", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bde0aef3-aa61-4ee7-9cbf-9f51cb5ac700?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/coblocks/trunk/src/blocks/events/index.php#L218"}, {"url": "https://plugins.trac.wordpress.org/browser/coblocks/tags/3.1.16/src/blocks/events/index.php#L218"}, {"url": "https://plugins.trac.wordpress.org/browser/coblocks/trunk/src/blocks/events/index.php#L245"}, {"url": "https://plugins.trac.wordpress.org/browser/coblocks/tags/3.1.16/src/blocks/events/index.php#L245"}, {"url": "https://plugins.trac.wordpress.org/browser/coblocks/trunk/src/blocks/events/index.php#L246"}, {"url": "https://plugins.trac.wordpress.org/browser/coblocks/tags/3.1.16/src/blocks/events/index.php#L246"}, {"url": "https://plugins.trac.wordpress.org/browser/coblocks/trunk/src/blocks/events/index.php#L255"}, {"url": "https://plugins.trac.wordpress.org/browser/coblocks/tags/3.1.16/src/blocks/events/index.php#L255"}, {"url": "https://plugins.trac.wordpress.org/browser/coblocks/trunk/src/blocks/events/index.php#L91"}, {"url": "https://plugins.trac.wordpress.org/browser/coblocks/tags/3.1.16/src/blocks/events/index.php#L91"}, {"url": "https://plugins.trac.wordpress.org/changeset/3475789/coblocks/trunk/src/blocks/events/index.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcoblocks/tags/3.1.16&new_path=%2Fcoblocks/tags/3.1.17"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Fernando Mecozzi"}], "timeline": [{"time": "2026-04-17T14:48:43.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Page Builder Gutenberg Blocks \u2013 CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via external iCal feed data in all versions up to, and including, 3.1.16 due to insufficient output escaping of event titles, descriptions, and locations fetched from external iCal feeds in the Events block rendering function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4801", "lastModified": "2026-04-18T05:16:23.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-18T05:16:23.987", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coblocks/tags/3.1.16/src/blocks/events/index.php#L218"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coblocks/tags/3.1.16/src/blocks/events/index.php#L245"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coblocks/tags/3.1.16/src/blocks/events/index.php#L246"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coblocks/tags/3.1.16/src/blocks/events/index.php#L255"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coblocks/tags/3.1.16/src/blocks/events/index.php#L91"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coblocks/trunk/src/blocks/events/index.php#L218"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coblocks/trunk/src/blocks/events/index.php#L245"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coblocks/trunk/src/blocks/events/index.php#L246"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coblocks/trunk/src/blocks/events/index.php#L255"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coblocks/trunk/src/blocks/events/index.php#L91"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3475789/coblocks/trunk/src/blocks/events/index.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcoblocks/tags/3.1.16&new_path=%2Fcoblocks/tags/3.1.17"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bde0aef3-aa61-4ee7-9cbf-9f51cb5ac700?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:39:37.775499+00:00", "value": {"mitigation_remediation": ["Update the Page Builder Gutenberg Blocks \u2013 CoBlocks plugin to version 3.1.17 or newer to remove the unescaped output issues.", "If an update cannot be applied immediately, disable the use of external iCal feeds in the Events block or limit Contributor access so that only trusted users can provide event data.", "Audit any custom rendering logic or overrides that process iCal data to ensure proper HTML escaping before output."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting on pages rendered by the Events block"}, "threat_synthesis": {"affected_systems": "All installations of the Page Builder Gutenberg Blocks \u2013 CoBlocks plugin for WordPress running version 3.1.16 or earlier are impacted. The vendor listed in the CNA record is godaddy (the plugin\u2019s name is Page Builder Gutenberg Blocks \u2013 CoBlocks).", "description_and_impact": "The Page Builder Gutenberg Blocks \u2013 CoBlocks plugin allows an authenticated user with Contributor or higher privileges to insert malicious scripts into page content by exploiting a lack of output escaping for event titles, descriptions, and locations that are pulled from external iCal feeds in the Events block rendering function. The stored script is then delivered to any visitor who views the affected page, giving the attacker a persistent client\u2011side vulnerability that can be used for phishing, cookie theft, or malicious redirects.", "risk_and_exploitability": "The vulnerability carries a CVSS base score of 6.4, which places it in the medium severity range. No EPSS score is available and the vulnerability is not listed in CISA\u2019s KEV catalogue, indicating that no widespread exploit is reported. Exploitation requires an authenticated Contributor or higher user; attackers can inject arbitrary scripts into event data that is then rendered to all users viewing the page. While no public exploit is currently known, the ability for an attacker to inject persistent scripts poses a moderate risk to site users."}}}}, "created": "2026-04-18T08:45:41.378681+00:00", "updated": "2026-04-18T08:45:41.378692+00:00", "vendors": []}