cleantalk
Vulnerabilities and Security Researches

Page Builder Gutenberg Blocks – CoBlocks, CVE-2026-4801

CVE, Research URL

CVE-2026-4801

Home page URL

Security reports for Page Builder Gutenberg Blocks – CoBlocks

Application

Page Builder Gutenberg Blocks – CoBlocks

Published on
Apr 18, 2026
Research Description
The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via external iCal feed data in all versions up to, and including, 3.1.16 due to insufficient output escaping of event titles, descriptions, and locations fetched from external iCal feeds in the Events block rendering function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.1.17.
Status
vulnerable
Previous vulnerability researches
Categories Images (CVE-2026-40734) , Apr 17, 2026
Categories Images (CVE-2026-2505) , Apr 20, 2026
New vulnerability
Page Builder Gutenberg Blocks – CoBlocks (CVE-2026-4801) , Apr 20, 2026
Categories Images (CVE-2026-2505) , Apr 20, 2026
Contextual Related Posts (CVE-2026-2986) , Apr 20, 2026
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-8615) , Apr 20, 2026
Hostel (CVE-2026-1838) , Apr 20, 2026