Search criteria
3 vulnerabilities by ckp267
CVE-2026-6378 (GCVE-0-2026-6378)
Vulnerability from cvelistv5 – Published: 2026-05-02 03:36 – Updated: 2026-05-04 17:10
VLAI
Title
Maxi Blocks <= 2.1.9 - Authenticated (Author+) Stored Cross-Site Scripting via Style Card REST API
Summary
The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the `sc_styles` parameter. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute on every page where the plugin's style card styles are loaded, including across the entire WordPress admin panel.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ckp267 | MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites |
Affected:
0 , ≤ 2.1.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T17:10:37.349030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:10:49.270Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons \u0026 Starter Sites",
"vendor": "ckp267",
"versions": [
{
"lessThanOrEqual": "2.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the `sc_styles` parameter. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute on every page where the plugin\u0027s style card styles are loaded, including across the entire WordPress admin panel."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T03:36:42.285Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22f05048-df38-4f26-82a3-53caac995283?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.9/core/class-maxi-api.php#L979"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.9/core/class-maxi-api.php#L221"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.9/core/class-maxi-style-cards.php#L197"
},
{
"url": "https://github.com/maxi-blocks/maxi-blocks/pull/6250/changes/8db3267df9858f684e420566227ed2ea7954d9a9"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.10/core/class-maxi-api.php#L979"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.10/core/class-maxi-api.php#L981"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.10/core/class-maxi-api.php#L987"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.10/core/class-maxi-api.php#L1010"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.10/core/class-maxi-api.php#L1021"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-16T10:47:42.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T14:44:43.000Z",
"value": "Disclosed"
}
],
"title": "Maxi Blocks \u003c= 2.1.9 - Authenticated (Author+) Stored Cross-Site Scripting via Style Card REST API"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6378",
"datePublished": "2026-05-02T03:36:42.285Z",
"dateReserved": "2026-04-15T17:07:54.863Z",
"dateUpdated": "2026-05-04T17:10:49.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2028 (GCVE-0-2026-2028)
Vulnerability from cvelistv5 – Published: 2026-04-24 03:27 – Updated: 2026-04-24 13:59
VLAI
Title
Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter
Summary
The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators.
Severity
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ckp267 | MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites |
Affected:
0 , ≤ 2.1.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T13:58:56.361470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T13:59:29.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons \u0026 Starter Sites",
"vendor": "ckp267",
"versions": [
{
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Teerachai Somprasong"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the \u0027maxi_remove_custom_image_size\u0027 AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T03:27:06.728Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f50c31df-56d0-4c34-a93c-56198fe91b36?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/trunk/core/class-maxi-image-crop.php#L44"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.7/core/class-maxi-image-crop.php#L44"
},
{
"url": "https://github.com/maxi-blocks/maxi-blocks/commit/3dff1db57bfb4e6c14fa7fd42037178d1d0ce199"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3476709%40maxi-blocks\u0026new=3476709%40maxi-blocks\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3476709/maxi-blocks/trunk/core/class-maxi-image-crop.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-16T10:47:43.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-23T14:43:34.000Z",
"value": "Disclosed"
}
],
"title": "Maxi Blocks \u003c= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via \u0027old_media_src\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2028",
"datePublished": "2026-04-24T03:27:06.728Z",
"dateReserved": "2026-02-05T21:46:52.497Z",
"dateUpdated": "2026-04-24T13:59:29.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6885 (GCVE-0-2024-6885)
Vulnerability from cvelistv5 – Published: 2024-07-23 02:01 – Updated: 2026-04-08 16:42
VLAI
Title
MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles <= 1.9.2 - Authenticated (Subscriber+) Arbitrary File Deletion
Summary
The MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maxi_remove_custom_image_size and maxi_add_custom_image_size functions in all versions up to, and including, 1.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity
8.1 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ckp267 | MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites |
Affected:
0 , ≤ 1.9.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6885",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T15:11:39.594077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T15:11:51.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/249b08c5-7429-4690-9f08-fc3f049aa62c?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/core/class-maxi-image-crop.php#L42"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/core/class-maxi-image-crop.php#L100"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/plugin.php#L221"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons \u0026 Starter Sites",
"vendor": "ckp267",
"versions": [
{
"lessThanOrEqual": "1.9.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons \u0026 100 Styles plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maxi_remove_custom_image_size and maxi_add_custom_image_size functions in all versions up to, and including, 1.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:14.238Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/249b08c5-7429-4690-9f08-fc3f049aa62c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/core/class-maxi-image-crop.php#L42"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/core/class-maxi-image-crop.php#L100"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/1.9.2/plugin.php#L221"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-07T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-07-22T13:02:24.000Z",
"value": "Disclosed"
}
],
"title": "MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons \u0026 100 Styles \u003c= 1.9.2 - Authenticated (Subscriber+) Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6885",
"datePublished": "2024-07-23T02:01:41.694Z",
"dateReserved": "2024-07-18T16:20:43.095Z",
"dateUpdated": "2026-04-08T16:42:14.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}