CVE-2026-5820

<!-- PoC for CVE-2026-5820: Stored XSS in Zypento Blocks Description: Inject a malicious payload into a post heading that gets reflected in the Table of Contents block. --> 1. Log in to WordPress as a user with 'Author' role or higher. 2. Create a new Post. 3. Add a 'Heading' block and enter the following payload as the heading text: <img src=x onerror=alert('CVE-2026-5820-XSS')> Note: The effectiveness depends on how the browser's innerText interacts with the specific element structure. If innerText strips the tag, alternative payloads involving HTML entities or specific DOM structures might be required based on the exact view.js implementation. 4. Add a 'Table of Contents' block from the Zypento Blocks plugin to the same page. 5. Publish or Preview the page. 6. Observe that the JavaScript alert executes when the Table of Contents renders the heading. // JavaScript representation of the vulnerability logic (vulnerable code pattern): // let headingText = element.innerText; // Get text // tocContainer.innerHTML = headingText; // Unsafe sink

{"cve": {"id": "CVE-2026-5820", "sourceIdentifier": "[email protected]", "published": "2026-04-22T09:16:25.977", "lastModified": "2026-04-22T20:22:50.570", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via `innerText` and inserting it into the page using `innerHTML` without proper sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/zypento-blocks/tags/1.0.6/assets/js/src/blocks/table-of-contents/view.js#L57", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/zypento-blocks/tags/1.0.6/assets/js/src/blocks/table-of-contents/view.js#L71", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/024a6a0f-f819-40e7-9618-71219c27aa64?source=cve", "source": "[email protected]"}]}}