Security Alert Summary
The Recipe Card Blocks Lite plugin for WordPress contains a stored Cross-Site Scripting (XSS) vulnerability in the recipe block’s summary and notes attributes. Authenticated users with Author-level access or higher can inject scripts that execute when a published post or the print view of a recipe is opened.
CVE Details
- CVE ID: CVE-2026-3011
- Affected component: Recipe Card Blocks Lite plugin for WordPress
- Affected versions: All versions up to and including 3.4.13
- Published: June 8, 2026 at 12:16:31 PM
- Last modified: June 8, 2026 at 2:57:14 PM
- CVSS v3.1: Base score 6.4, severity MEDIUM, vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / Privileges / User interaction:
- Authentication: required (authenticated attacker)
- Privileges required: Author-level access and above (CVSS: Privileges Required = LOW)
- User interaction: None (no user interaction required)
- Impact (CIA): Confidentiality: Low; Integrity: Low; Availability: None
- Weakness: CWE-79 (Cross-Site Scripting)
Technical Details
The vulnerability is a stored Cross-Site Scripting issue affecting the recipe block attributes summary and notes. The underlying cause is the WPZOOM_Helpers::deserialize_block_attributes method converting unicode-encoded sequences back into HTML characters after sanitization has already been applied. Because decoding happens after sanitization, unsafe HTML or script content can be reintroduced into the stored block attributes.
Injected scripts are stored in content and execute whenever a user views the affected published post or uses the print view for the recipe. The CVE references the helper method and code paths used to render recipe output and the print template, indicating the re-decoding occurs in the block deserialization flow.
How This Could Impact Your Website
Imagine a site where the owner manages content, an internal editor creates posts, and an external contractor contributes recipes as an Author. An attacker with Author-level access could add a malicious script inside a recipe’s summary or notes. When other users (editors, administrators, or site visitors with access to the print view) open the post or the print view, that script can execute in their browsers.
Practical consequences include potential exposure of sensitive information available to the browser context (such as visible email addresses on the page), and an increased risk of targeted phishing or social engineering against staff or contributors who view affected posts. Actions triggered by the script could also appear in logs or analytics, complicating incident analysis.
professional review: If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially Contributor and Author accounts.
- Enforce strong passwords and enable two-factor authentication for Editors and Administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior related to posts and print views.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/recipe-card-blocks-by-wpzoom/trunk/src/classes/class-wpzoom-helpers.php#L253
- https://plugins.trac.wordpress.org/browser/recipe-card-blocks-by-wpzoom/trunk/src/classes/class-wpzoom-print-template-manager.php#L224
- https://plugins.trac.wordpress.org/browser/recipe-card-blocks-by-wpzoom/trunk/src/structured-data-blocks/class-wpzoom-recipe-card-block.php#L582
- https://plugins.trac.wordpress.org/browser/recipe-card-blocks-by-wpzoom/trunk/src/structured-data-blocks/class-wpzoom-recipe-card-block.php#L592
- https://plugins.trac.wordpress.org/changeset/3470036/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a684bf5f-7cf6-43b1-b457-fdc2ba74852d?source=cve
