CVE-2026-8981 Lazy Blocks < 4.3.0 - Admin+ Stored XSS via Custom Block Frontend HTML

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfilteredhtml capability across all paths that write to its block template code fields, allowing administrators on multisite installations or single-site installs with DISALLOWUNFILTEREDHTML defined to inject...