Threat Entry Updated 2026-06-08

CVE-2026-3011 - Recipe Card Blocks By Wpzoom Plugin

The Recipe Card Blocks Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the recipe block's 'summary' and 'notes' attributes in all versions up to, and including, 3.4.13. This is due to the 'WPZOOM_Helpers::deserialize_block_attributes' method converting unicode-encoded sequences back into HTML characters after sanitization has already been applied. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the published post or the print view of an injected recipe.

PLUGIN Recipe Card Blocks By Wpzoom

CVE-2026-3011

MEDIUM CVSS 6.4 2026-06-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24632 - Recipe Card Blocks By Wpzoom Plugin

The Recipe Card Blocks by WPZOOM WordPress plugin before 2.8.1 does not escape the message parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

PLUGIN Recipe Card Blocks By Wpzoom

CVE-2021-24632

MEDIUM CVSS 6.1 2021-09-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24634 - Recipe Card Blocks By Wpzoom Plugin

The Recipe Card Blocks by WPZOOM WordPress plugin before 2.8.3 does not properly sanitise or escape some of the properties of the Recipe Card Block (such as ingredientsLayout, iconSet, steps, ingredients, recipeTitle, or settings), which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks.

PLUGIN Recipe Card Blocks By Wpzoom

CVE-2021-24634

MEDIUM CVSS 5.4 2021-09-27

Risk Score

Open Full Technical Breakdown