Vulnerabilities and security researches forlazy-blocks lazy-blocks

Feb 15, 2025

CVE, Research URL: CVE-2024-12878
Home page URL: Security reports for Custom Blocks Constructor – Lazy Blocks
Application: Custom Blocks Constructor – Lazy Blocks
Date: Feb 26, 2025
Research Description: The Custom Block Builder WordPress plugin before 3.8.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Affected versions: max 3.8.3.
Status: vulnerable

Apr 15, 2026

CVE, Research URL: CVE-2026-1560
Home page URL: Security reports for Custom Blocks Constructor – Lazy Blocks
Application: Custom Blocks Constructor – Lazy Blocks
Date: Feb 11, 2026
Research Description: The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Affected versions: max 4.2.1.
Status: vulnerable