CVE-2025-1703 - Vulnerability Details

- Ultimate Blocks <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter

Description

The Ultimate Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-03-26

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Ultimate Blocks plugin for WordPress contains a stored cross-site scripting flaw that allows an authenticated user with Contributor role or higher to inject arbitrary JavaScript through the content parameter. Once injected, the script runs whenever a user visits the affected page, letting the attacker steal session cookies, deface content, or perform other malicious actions. The flaw is classified as CWE-79 and would compromise confidentiality, integrity and availability of the website if exploited.

Affected Systems

The vulnerability affects the Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor plugin for WordPress. All releases up to and including version 3.2.7 are impacted. Users on older or later versions are not affected unless they have not upgraded.

Risk and Exploitability

With a CVSS score of 6.4 the flaw is of moderate severity. The EPSS score is less than 1%, indicating a low likelihood that existing attack tools will target this weakness. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authenticated access, an attacker must first obtain a Contributor level or higher user account. Once the exploit is triggered, every visitor to the stored content will run the injected script, making the threat level high for sites with untrusted contributors.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ultimateblocks

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.2.7

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Ultimate Blocks plugin to version 3.2.8 or later.
If an immediate update is not possible, monitor and delete any content that may contain injected scripts and temporarily disable contributor role functionality until the plugin is patched.
Restrict Contributor or higher privileges to trusted users only and review current users with those roles.

Generated by OpenCVE AI on April 20, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-8127	The Ultimate Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/ultimate-blocks/trunk/src/extensions/responsive-control/class-responsive-control.php#L46
https://plugins.trac.wordpress.org/changeset/3260377
https://plugins.trac.wordpress.org/changeset/3260377/ultimate-blocks/trunk/src/extensions/responsive-control/class-responsive-control.php
https://wordpress.org/plugins/ultimate-blocks/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/a2520d98-3cee-4431-bf9c-b2fd01a584ce?source=cve

History

Thu, 03 Apr 2025 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 26 Mar 2025 09:45:00 +0000

Type	Values Removed	Values Added
Description		The Ultimate Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Ultimate Blocks <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/ultimate-blocks/trunk/src/extensions/responsive-control/class-responsive-control.php#L46 https://plugins.trac.wordpress.org/changeset/3260377 https://plugins.trac.wordpress.org/changeset/3260377/ultimate-blocks/trunk/src/extensions/responsive-control/class-responsive-control.php https://wordpress.org/plugins/ultimate-blocks/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/a2520d98-3cee-4431-bf9c-b2fd01a584ce?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-03-26T09:21:48.784Z

Updated: 2026-04-08T17:12:37.385Z

Reserved: 2025-02-25T22:43:19.787Z

Link: CVE-2025-1703

Vulnrichment

Updated: 2025-03-26T18:03:43.848Z

NVD

Status : Deferred

Published: 2025-03-26T10:15:15.437

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1703

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object