← Back to CVE List
CVE-2026-3011NVD
Vulnerability Summary
The Recipe Card Blocks Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the recipe block's 'summary' and 'notes' attributes in all versions up to, and including, 3.4.13. This is due to the 'WPZOOM_Helpers::deserialize_block_attributes' method converting unicode-encoded sequences back into HTML characters after sanitization has already been applied. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the published post or the print view of an injected recipe.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeChanged
ConfidentialityLow
IntegrityLow
AvailabilityNone
External References
- https://plugins.trac.wordpress.org/browser/recipe-card-blocks-by-wpzoom/trunk/src/classes/class-wpzoom-helpers.php#L253
- https://plugins.trac.wordpress.org/browser/recipe-card-blocks-by-wpzoom/trunk/src/classes/class-wpzoom-print-template-manager.php#L224
- https://plugins.trac.wordpress.org/browser/recipe-card-blocks-by-wpzoom/trunk/src/structured-data-blocks/class-wpzoom-recipe-card-block.php#L582
- https://plugins.trac.wordpress.org/browser/recipe-card-blocks-by-wpzoom/trunk/src/structured-data-blocks/class-wpzoom-recipe-card-block.php#L592
- https://plugins.trac.wordpress.org/changeset/3470036/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a684bf5f-7cf6-43b1-b457-fdc2ba74852d?source=cve