{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5820", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-08T16:09:15.963Z", "datePublished": "2026-04-22T07:45:28.842Z", "dateUpdated": "2026-04-22T07:45:28.842Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:28.842Z"}, "affected": [{"vendor": "sproutient", "product": "Zypento Blocks", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.06", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via `innerText` and inserting it into the page using `innerHTML` without proper sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Zypento Blocks <= 1.0.6 - Authenticated (Author+) Stored Cross-Site Scripting via Table of Contents Block", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/024a6a0f-f819-40e7-9618-71219c27aa64?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zypento-blocks/tags/1.0.6/assets/js/src/blocks/table-of-contents/view.js#L57"}, {"url": "https://plugins.trac.wordpress.org/browser/zypento-blocks/tags/1.0.6/assets/js/src/blocks/table-of-contents/view.js#L71"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-04-21T19:03:28.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via `innerText` and inserting it into the page using `innerHTML` without proper sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-5820", "lastModified": "2026-04-22T09:16:25.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:25.977", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zypento-blocks/tags/1.0.6/assets/js/src/blocks/table-of-contents/view.js#L57"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zypento-blocks/tags/1.0.6/assets/js/src/blocks/table-of-contents/view.js#L71"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/024a6a0f-f819-40e7-9618-71219c27aa64?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T10:06:44.975388+00:00", "value": {"mitigation_remediation": ["Update the Zypento Blocks plugin to the latest version available from the vendor, ensuring any fix addressing the stored XSS flaw is applied.", "If an update is not immediately possible, disable or remove the Table of Contents block from all posts so that no untrusted markup can be entered.", "Configure a Content Security Policy that blocks inline scripts and restricts execution of JavaScript unless it is from a trusted source."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (authenticated)"}, "threat_synthesis": {"affected_systems": "WordPress sites that utilize the Zypento Blocks plugin, specifically version 1.0.6 or any earlier release. The vulnerability is present in all releases up to and including 1.0.6.", "description_and_impact": "The Zypento Blocks WordPress plugin suffers from a stored cross\u2011site scripting flaw in the Table of Contents block. The plugin\u2019s front\u2011end renders heading text by reading the DOM via innerText and then writes that content back into the page using innerHTML without any sanitization. Because the block is editable by users with Author\u2011level or higher permissions, an attacker can inject arbitrary JavaScript that will run in the browsers of anyone who views the affected post or page.", "risk_and_exploitability": "This flaw has a CVSS score of 6.4, indicating a moderate severity. The EPSS score is not reported, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector requires the attacker to be authenticated with Author or higher permissions; they can then edit a post, insert malicious markup into the Table of Contents block, and cause the script to execute in the browsers of all users who view that content."}}}}, "created": "2026-04-22T10:15:14.509989+00:00", "updated": "2026-04-22T10:15:14.510003+00:00", "vendors": []}