Threat Entry Updated 2026-05-22

CVE-2026-3481 - Wp Blockade Plugin

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The function receives user input from $_GET['shortcode'], passes it through stripslashes() without any sanitization, and then outputs it directly via echo do_shortcode($shortcode) on line 393. When the input is not a valid WordPress shortcode (e.g., an HTML tag with JavaScript event handlers), do_shortcode() returns it unchanged, and it is reflected into the…

PLUGIN Wp Blockade

CVE-2026-3481

MEDIUM CVSS 6.1 2026-05-22

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-27

CVE-2026-3480 - Wp Blockade Plugin

The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead…

PLUGIN Wp Blockade

CVE-2026-3480

MEDIUM CVSS 6.5 2026-04-08

Risk Score

Open Full Technical Breakdown