Attack Vectors

Page Builder Gutenberg Blocks – CoBlocks (WordPress plugin slug: coblocks) is affected by a Medium-severity vulnerability (CVSS 6.4) tracked as CVE-2026-27094. The issue is a Stored Cross-Site Scripting (XSS) vulnerability impacting versions up to and including 3.1.16.

The attack requires an authenticated WordPress account with Contributor-level access or higher. An attacker who can create or edit content can inject malicious script content into a page. Because it is stored, the script executes later whenever any user visits the affected page—without requiring the visitor to click anything.

Security Weakness

The root cause is described as insufficient input sanitization and output escaping within Page Builder Gutenberg Blocks – CoBlocks. In practical terms, the plugin does not adequately filter or safely display certain user-provided content, allowing attacker-supplied scripts to be saved and then rendered for site visitors.

This is particularly relevant for organizations that allow multiple internal users, contractors, agencies, or guest contributors to publish or draft content. Even when those accounts are “legitimate,” any compromised contributor account (or a malicious insider) could leverage this weakness.

Technical or Business Impacts

A stored XSS issue like this can create meaningful business risk even at Medium severity. Potential impacts include: brand damage from defaced or suspicious page behavior; loss of customer trust if visitors see unexpected pop-ups, redirects, or modified content; and potential exposure of session-related data depending on what scripts run in a visitor’s browser context. It can also undermine marketing performance by altering landing pages, interfering with analytics tags, or disrupting conversion flows.

From a governance and compliance perspective, allowing injected scripts to run on pages viewed by customers or employees can trigger incident response obligations, internal control reviews, and additional scrutiny from auditors—especially if the affected pages support lead capture, account access, or other customer-facing journeys.

Recommended remediation: Update Page Builder Gutenberg Blocks – CoBlocks to version 3.1.17 or a newer patched version. After updating, consider reviewing recent content changes made by contributor-level accounts, and validate that high-value pages (homepage, key landing pages, forms pages) have not been modified unexpectedly.

Similar attacks (real examples): Stored or plugin-driven XSS issues are a common pattern in the WordPress ecosystem. Examples include CVE-2024-27956 (WordPress plugin XSS class issue), CVE-2023-2745, and CVE-2022-21661.

Reference: Wordfence advisory source: https://www.wordfence.com/threat-intel/vulnerabilities/id/f8310fae-813c-4325-9ae6-f0ea470e0168