Description
The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uagb block in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-03-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows arbitrary script injection into pages with Contributor or higher access
Action: Patch Now
AI Analysis

Impact

The Spectra – WordPress Gutenberg Blocks plugin contains a stored Cross‑Site Scripting flaw caused by insufficient input sanitization and output escaping in the "uagb" block. An authenticated user with Contributor level or better can inject malicious script that is persisted in the post and executed automatically whenever any site visitor loads the page.

Affected Systems

The vulnerability affects the Spectra Gutenberg Blocks plugin from brainstormforce. All released versions up to and including 2.19.0 are susceptible; sites running any such version are at risk.

Risk and Exploitability

With a CVSS score of 6.4 the flaw is classified as moderate. The EPSS score indicates a very low exploitation probability (<1%) and the issue is not listed in CISA’s KEV catalog. However, because an attacker must authenticate with Contributor or higher, the attack surface is limited to trusted users. Once an attacker injects code, it can be executed by all visitors to the affected page, potentially leading to defacement, phishing, or malicious content delivery. The moderate severity, combined with the requirement for authenticated access, means the risk is lower than high‑severity server‑side flaws, but the impact on audience interaction and brand reputation remains significant.

Generated by OpenCVE AI on April 22, 2026 at 04:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Spectra Gutenberg Blocks release (2.20 or newer) that fixes the stored XSS flaw. According to CWE‑79, updating the codebase is the primary defense.
  • Restrict Contributor and higher capabilities to trusted administrators or remove the role entirely to reduce the attack surface. This limits who can perform the initial injection.
  • Scan existing uagb block content for injected scripts and clean any malicious code, ensuring that remaining content is properly sanitized and escaped in line with CWE‑79 guidelines.
  • Apply a web application firewall or content security policy that blocks or escapes script tags at the point of form submission as an interim safeguard if an immediate patch cannot be applied.

Generated by OpenCVE AI on April 22, 2026 at 04:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8108 The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uagb block in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 26 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uagb block in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Spectra – WordPress Gutenberg Blocks <= 2.19.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:08.163Z

Reserved: 2025-02-28T15:57:19.849Z

Link: CVE-2025-1784

cve-icon Vulnrichment

Updated: 2025-03-26T18:39:06.377Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T06:15:28.557

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:15:07Z

Weaknesses