Ghostwire
Home / Vulnerabilities / CVE-2026-3498

CVE-2026-3498: The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute...

MEDIUM CVSS 6.4 EPSS 0.03% Exploit Available

Published: April 11, 2026 | Last Modified: April 11, 2026

Description

The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Ghostwire Analysis — What This Means Practically

Exploitation Probability (EPSS): Low — 0.03% (9th percentile)

Low exploitation probability based on current threat landscape data. Standard patching timeline is appropriate.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (14 articles)

CVE Feed
CVE-2026-3498 - BlockArt Blocks <= 2.2.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'clientId' Block Attribute
 Tenable CVEs
CVE-2026-34987
 CVE Feed
CVE-2026-34988 - Wasmtime leaks data between pooling allocator instances
 Tenable CVEs
CVE-2026-34988
 CVE Feed
CVE-2026-34983 - Wasmtime has a use-after-free bug after cloning `wasmtime::Linker`
 Tenable CVEs
CVE-2026-34983
 Tenable CVEs
CVE-2026-34985
 Tenable CVEs
CVE-2026-34989
 Tenable CVEs
CVE-2026-34986
 Tenable CVEs
CVE-2026-34981
 Tenable CVEs
CVE-2026-34982
 Tenable CVEs
CVE-2026-34980
 CVE Feed
CVE-2026-34980 - OpenPrinting CUPS: Shared PostScript queue lets anonymous Print-Job requests reach `lp` code execution over the network
 GBHackers
Vim Modeline Vulnerability Opens Door to Arbitrary OS Command Execution

References