Description
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML attributes in Slider and Post Carousel widgets in all versions up to, and including, 5.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (arbitrary script execution on page views)
Action: Immediate Patch
AI Analysis

Impact

The plugin is vulnerable to stored cross‑site scripting because it fails to properly sanitize or escape HTML attributes within the Slider and Post Carousel widget configuration. This flaw allows an authenticated user with Contributor or higher privileges to inject JavaScript that will execute whenever anyone views the affected page, potentially compromising the browser context for all site visitors.

Affected Systems

The vulnerability affects the Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin. All released versions up to and including 5.4.0 are impacted.

Risk and Exploitability

The score of 6.4 on the CVSS base indicates moderate severity. The EPSS score of < 1 % suggests low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the flaw is exploitable through the normal WordPress admin interface by users with Contributor-level access or higher, who can add or edit a page using the Slider or Post Carousel widgets and inject malicious script that will run for any visitor to that page.

Generated by OpenCVE AI on April 20, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Essential Blocks – Page Builder plugin to the latest version (5.4.1 or newer), which removes the input sanitization flaw.
  • If upgrading is not currently possible, delete or disable the Slider and Post Carousel widgets from any templates or pages, or avoid using the plugin altogether on the site.
  • Re‑evaluate user roles and remove Contributor or higher access from users who do not require it, or enforce strict role‑based access control for widget management to limit the attack surface.

Generated by OpenCVE AI on April 20, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28071 The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML attributes in Slider and Post Carousel widgets in all versions up to, and including, 5.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 27 May 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML attributes in Slider and Post Carousel widgets in all versions up to, and including, 5.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Slider and Post Carousel Widgets
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:58.758Z

Reserved: 2025-05-14T10:35:43.357Z

Link: CVE-2025-4682

cve-icon Vulnrichment

Updated: 2025-05-27T19:55:16.528Z

cve-icon NVD

Status : Deferred

Published: 2025-05-27T03:15:23.877

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:45:20Z

Weaknesses