Attack Vectors

Page Builder Gutenberg Blocks – CoBlocks (slug: coblocks) versions up to and including 3.1.16 are affected by a medium-severity stored cross-site scripting (XSS) issue (CVE-2026-27094, CVSS 6.4).

The primary attack path requires a user to already be logged into WordPress with at least Contributor permissions (or higher). An attacker with that level of access could place malicious script content into a page or content area that uses CoBlocks, resulting in the script being stored in your site’s content and executing later when someone views the infected page.

This matters for organizations that allow many internal users, contractors, or partners to create or edit content. It also raises the risk from “account compromise” scenarios (e.g., a contributor’s credentials are stolen), because the attacker can then use legitimate access to plant persistent malicious code into your website content.

Security Weakness

The vulnerability is caused by insufficient input sanitization and output escaping. In business terms, this means the plugin does not consistently treat user-supplied content as untrusted, allowing harmful scripts to be saved and later displayed to other visitors or logged-in users.

Because this is a stored XSS issue, the malicious code can persist over time until the affected content is found and removed. The impact can extend beyond the original contributor account, especially if higher-privilege users (such as Editors or Administrators) view the infected content in the WordPress dashboard or on the public site.

At the time of the advisory, there is no known patch available. Remediation guidance therefore depends on your organization’s risk tolerance and your need for the plugin’s functionality.

Technical or Business Impacts

Stored XSS issues commonly translate into real business risks: brand damage, loss of customer trust, and increased exposure to fraud or data privacy incidents. If malicious scripts run in a user’s browser, they can potentially manipulate what the user sees, redirect visitors to unsafe destinations, or interfere with normal site behavior.

For marketing and revenue teams, this can mean compromised landing pages, altered calls-to-action, damaged SEO performance, and reduced conversion rates due to trust warnings or suspicious behavior. For executives and compliance teams, it can mean heightened audit findings, incident response costs, and potential legal exposure depending on what data is accessed and what user populations are affected.

Given the medium severity and the requirement for authenticated access (Contributor+), the practical risk is often highest in organizations with many content authors or where contributor accounts are widely distributed. With no patch currently available, many organizations will consider uninstalling Page Builder Gutenberg Blocks – CoBlocks and replacing it, or applying compensating controls (such as reducing contributor permissions, tightening publishing workflows, and monitoring for unexpected script tags in content) to reduce exposure while evaluating alternatives.

References: CVE-2026-27094 | Wordfence advisory