We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Page Builder Gutenberg Blocks – CoBlocks Plugin Vulnerability (CVE-2026-4801)

Nick Paliughi
On this page

Security Alert Summary

The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its Events block. The issue stems from insufficient output escaping of event data retrieved from external iCal feeds, allowing authenticated users with Contributor-level access and above to inject scripts into pages. Injected scripts execute when a user views the affected page.

CVE Details

  • CVE ID: CVE-2026-4801
  • Affected component: The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress
  • Affected versions: All versions up to, and including, 3.1.16
  • Published: April 18, 2026 at 5:16:23 AM UTC
  • Last modified: April 18, 2026 at 5:16:23 AM UTC
  • CVSS v3.1: Base Score 6.4 (MEDIUM) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / Privileges / User interaction: Authentication required (authenticated attacker); Privileges Required: Low (Contributor-level access and above); User Interaction: None
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Weakness: CWE-79 (Cross-site Scripting)

Technical Details

This vulnerability is a stored XSS in the Events block rendering function. Event titles, descriptions, and locations fetched from external iCal feeds are not sufficiently escaped before being output. Because the plugin stores or renders content taken from external feeds directly into pages, an authenticated user with Contributor-level access or higher can supply a crafted iCal feed that contains malicious script payloads in event fields.

When a page containing an injected event is viewed, the browser executes the injected script in the context of that page. The issue exists specifically because output escaping/encoding is missing or insufficient for the event fields (titles, descriptions, locations) as rendered by the Events block.

How This Could Impact Your Website

Consider a site with multiple WordPress users: a site owner, internal staff who manage content, and external contributors or contractors. If the site uses the CoBlocks Events block and accepts external iCal feeds, a contributor or external contractor who can supply or influence feed content could insert a malicious event entry. When other users or visitors view the page with the injected event, the injected script runs in their browsers.

Practical consequences may include exposure of information visible in the browser (for example, contact details shown on a page), the ability for an attacker to craft actions that appear to come from a trusted page, and an increased risk of targeted phishing or social engineering based on information harvested from pages. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially Contributor accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and logs for unusual behavior, such as unexpected content in event feeds or new content posted by low-privilege accounts.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
CMP – Coming Soon & Maintenance Plugin Vulnerability (CVE-2026-6518)
Next Post
Hostel Plugin Vulnerability (CVE-2026-1838)