cleantalk
Vulnerabilities and Security Researches

MaxiBlocks Free Page Builder & Template Library, CVE-2026-6378

CVE, Research URL

CVE-2026-6378

Home page URL

Security reports for MaxiBlocks Free Page Builder & Template Library

Application

MaxiBlocks Free Page Builder & Template Library

Published on
May 02, 2026
Research Description
The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the `sc_styles` parameter. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute on every page where the plugin's style card styles are loaded, including across the entire WordPress admin panel.
Affected versions
max 2.1.10.
Status
vulnerable
Previous vulnerability researches
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2025-54004) , Jan 11, 2026
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2025-3780) , Jul 12, 2025
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2026-2554) , May 03, 2026
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2022-4938) , Jun 06, 2024
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2022-4937) , Jun 06, 2024
New vulnerability
MaxiBlocks Free Page Builder & Template Library (CVE-2026-6378) , May 03, 2026
App Builder – Create Native Android & iOS Apps On The Flight (CVE-2026-7638) , May 03, 2026
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible (CVE-2026-2554) , May 03, 2026
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto (CVE-2024-13362) , May 03, 2026
Marijuana Age Verify (CVE-2024-13362) , May 03, 2026