CVE-2026-9756: The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to, and includ
The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can store a JavaScript payload in their own profile description (allowlisted by get_safe_user_meta_keys()) and prepend 'javascript:' via the linkMetaFieldType attribute, creating a fully attacker-controlled href that executes when any user, including an administrator, clicks the rendered headline link.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-9756
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-97560.21% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 12% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-9756 | coverage & exploitation status | NVD · CVE.org |
More from NVD Recent CVEs
- highCVE-2026-58281: Deserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized at…2026-07-11
- mediumCVE-2026-10660: The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assi…2026-07-11
- lowCVE-2026-61870: ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memo…2026-07-11
- lowCVE-2026-61861: ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption…2026-07-11
- lowCVE-2026-61858: ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and ext…2026-07-11