CVE-2026-11402
Services Section Block <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Block Attribute
Description
The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The payload persists inside HTML comments in post_content, bypassing wp_kses_post sanitization at save time, and executes via both the primary service link anchor and a secondary title-wrapped anchor when the linkIn option is set to 'title'.
INFO
Published Date :
June 18, 2026, 5:34 a.m.
Last Modified :
June 18, 2026, 5:34 a.m.
Remotely Exploit :
No
Source :
Wordfence
Affected Products
The following products are affected by CVE-2026-11402
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Update the Services Section Block plugin to version 1.4.5 or later.
- Sanitize and escape all user-supplied input.
- Implement robust output escaping for all dynamic content.
- Review and restrict contributor-level permissions.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-11402 vulnerability anywhere in the article.