cleantalk
Vulnerabilities and Security Researches

Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin, CVE-2026-3011

CVE, Research URL

CVE-2026-3011

Home page URL

Security reports for Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin

Application

Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin

Published on
Jun 08, 2026
Research Description
The Recipe Card Blocks Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the recipe block's 'summary' and 'notes' attributes in all versions up to, and including, 3.4.13. This is due to the 'WPZOOM_Helpers::deserialize_block_attributes' method converting unicode-encoded sequences back into HTML characters after sanitization has already been applied. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the published post or the print view of an injected recipe.
Affected versions
max 3.4.14.
Status
vulnerable
Previous vulnerability researches
Free Live Chat, WordPress Website Chat Plugin, Helpdesk Customer Support WP Live Chat App: Chatway (CVE-2026-49082) , Jun 09, 2026
New vulnerability
WP Time Slots Booking Form (CVE-2026-48882) , Jun 10, 2026
Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms (CVE-2026-49768) , Jun 10, 2026
Accept Stripe Payments (CVE-2021-47983) , Jun 10, 2026
Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin (CVE-2026-3011) , Jun 10, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-49055) , Jun 10, 2026