Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Blocks b-blocks allows Stored XSS.This issue affects B Blocks: from n/a through <= 2.0.0.
Published: 2025-04-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are stored in the database and executed in subsequent page loads. This stored XSS can compromise the confidentiality and integrity of user data, facilitate session hijacking, and enable phishing or defacement attacks. The weakness is a classic input validation flaw identified as CWE‑79. The description confirms the issue exists in all versions up to and including 2.0.0 of the plugin.

Affected Systems

The affected component is the WordPress B Blocks plugin released by bPlugins, specifically versions up to and including 2.0.0. Any WordPress site that has installed or has ever upgraded to one of these vulnerable releases is potentially impacted.

Risk and Exploitability

The CVSS v3 score of 6.5 indicates moderate severity, but the execution likely requires an authenticated user with permission to add or edit content in the B Blocks interface, as the malicious code is stored by the plugin when content is entered. The EPSS score of less than 1% suggests a very low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, an attacker who is able to submit content through the plugin’s interface can persist scripts that will later execute in the browsers of any user who views the affected page, including administrators. The security community typically recommends that such stored XSS risks be treated with high caution because they can affect many users across multiple sites.

Generated by OpenCVE AI on May 1, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the B Blocks plugin to the latest release that removes the XSS flaw.
  • If an upgrade is not immediately available, disable or remove the B Blocks plugin from the site to eliminate the attack surface.
  • Ensure that the WordPress site is configured to restrict content‑editing capabilities to trusted roles and that any custom input fields from plugins perform proper sanitization and escaping before storing data.

Generated by OpenCVE AI on May 1, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9840 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Blocks - The ultimate block collection allows Stored XSS. This issue affects B Blocks - The ultimate block collection: from n/a through 2.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Blocks - The ultimate block collection allows Stored XSS. This issue affects B Blocks - The ultimate block collection: from n/a through 2.0.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Blocks b-blocks allows Stored XSS.This issue affects B Blocks: from n/a through <= 2.0.0.
Title WordPress B Blocks - The ultimate block collection plugin <= 2.0.0 - Stored Cross Site Scripting (XSS) vulnerability WordPress B Blocks plugin <= 2.0.0 - Stored Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Blocks - The ultimate block collection allows Stored XSS. This issue affects B Blocks - The ultimate block collection: from n/a through 2.0.0.
Title WordPress B Blocks - The ultimate block collection plugin <= 2.0.0 - Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:18.196Z

Reserved: 2025-04-04T10:01:12.079Z

Link: CVE-2025-32173

cve-icon Vulnrichment

Updated: 2025-04-04T19:54:06.345Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:26.343

Modified: 2026-04-23T15:28:41.717

Link: CVE-2025-32173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:45:05Z

Weaknesses