cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forlazy-blocks lazy-blocks

Direction: descending
Jun 11, 2026

Custom Blocks Constructor – Lazy Blocks # CVE-2026-8981

CVE, Research URL

CVE-2026-8981

Home page URL

Security reports for Custom Blocks Constructor – Lazy Blocks

Application

Custom Blocks Constructor – Lazy Blocks

Date
Jun 09, 2026
Research Description
The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.
Affected versions
max 4.3.0.
Status
vulnerable
Apr 24, 2026

Custom Blocks Constructor – Lazy Blocks # CVE-2025-58258

CVE, Research URL

CVE-2025-58258

Home page URL

Security reports for Custom Blocks Constructor – Lazy Blocks

Application

Custom Blocks Constructor – Lazy Blocks

Date
Sep 23, 2025
Research Description
Missing Authorization vulnerability in nK Lazy Blocks lazy-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lazy Blocks: from n/a through <= 4.1.0.
Affected versions
max 4.1.1.
Status
vulnerable
Apr 15, 2026

Custom Blocks Constructor &#8211; Lazy Blocks # CVE-2026-1560

CVE, Research URL

CVE-2026-1560

Home page URL

Security reports for Custom Blocks Constructor &#8211; Lazy Blocks

Application

Custom Blocks Constructor &#8211; Lazy Blocks

Date
Feb 11, 2026
Research Description
The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Affected versions
max 4.2.1.
Status
vulnerable
Feb 15, 2025

Custom Blocks Constructor &#8211; Lazy Blocks # CVE-2024-12878

CVE, Research URL

CVE-2024-12878

Home page URL

Security reports for Custom Blocks Constructor &#8211; Lazy Blocks

Application

Custom Blocks Constructor &#8211; Lazy Blocks

Date
Feb 26, 2025
Research Description
The Custom Block Builder WordPress plugin before 3.8.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Affected versions
max 3.8.3.
Status
vulnerable