Security Alert Summary
The Zypento Blocks plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the Table of Contents block that allows authenticated users with Author-level access or higher to inject scripts into page content. The issue originates from front-end rendering code inserting untrusted heading text into the page DOM without proper sanitization.
CVE Details
- CVE ID: CVE-2026-5820
- Affected component: Zypento Blocks plugin – Table of Contents block
- Affected versions: All versions up to and including 1.0.6
- Published: April 22, 2026 at 09:16:25 AM UTC
- Last modified: April 22, 2026 at 09:16:25 AM UTC
- CVSS v3.1 Base Score: 6.4 (MEDIUM)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Authentication / Privileges: Authentication required; privileges required: Author-level (PR:L)
- User interaction: None (UI:N)
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE: CWE-79 (Cross-site Scripting)
Technical Details
According to the reported information, the vulnerability is a stored cross-site scripting issue in the plugin’s Table of Contents block. The front-end TOC rendering script reads heading text via innerText and then inserts that content into the page using innerHTML without proper sanitization. Because the content is written into the DOM as HTML, an authenticated user with sufficient privileges (Author or higher) can store a payload that will execute in the browsers of users who view the injected page.
The issue exists because untrusted heading text is not sanitized or escaped before being rendered into the page HTML; the report references the TOC rendering code paths where this DOM write occurs. The impact is limited to script execution in the context of pages that include the affected Table of Contents block and does not, by itself, indicate direct remote code execution on the server.
How This Could Impact Your Website
In a typical WordPress environment, a site owner or administrator may allow multiple internal staff members and external contributors to publish content. If an author-level user or higher inserts specially crafted heading text into a page using the Table of Contents block, that payload can be stored and executed later when other users (including editors, administrators, or visitors) view the page. Practical consequences include exposure of session information in the viewer’s browser, disclosure of data accessible via an authenticated user’s browser, or the ability to run actions in the victim’s browser that could support targeted phishing or social-engineering campaigns.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and authors who can publish content.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce your attack surface.
- Monitor site activity and logs for unusual behavior, particularly content changes to pages that include the Table of Contents block.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/zypento-blocks/tags/1.0.6/assets/js/src/blocks/table-of-contents/view.js#L57
- https://plugins.trac.wordpress.org/browser/zypento-blocks/tags/1.0.6/assets/js/src/blocks/table-of-contents/view.js#L71
- https://www.wordfence.com/threat-intel/vulnerabilities/id/024a6a0f-f819-40e7-9618-71219c27aa64?source=cve
