Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blockspare Blockspare blockspare allows Stored XSS.This issue affects Blockspare: from n/a through <= 3.2.9.
Published: 2025-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation, allowing a stored cross‑site scripting flaw in the WordPress Blockspare plugin. When an attacker can embed malicious script code into a Blockspare block, the script will run in the browsers of any site visitor or administrator who views the block, potentially compromising the security of the site.

Affected Systems

All installations of the Blockspare WordPress plugin from its first release through version 3.2.9 are vulnerable, regardless of site configuration.

Risk and Exploitability

The CVSS score of 6.5 places this vulnerability in the medium severity range. The EPSS score of less than 1% indicates a very low likelihood of exploitation at this time, and it is not listed in CISA’s KEV catalog. Based on the nature of stored XSS, it is inferred that the attacker must be able to insert or modify a Blockspare block, which typically requires edit or administrator privileges. If such access is granted, the attacker can store malicious scripts that will execute whenever the block is rendered.

Generated by OpenCVE AI on May 2, 2026 at 01:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Blockspare plugin to a version newer than 3.2.9, or apply any vendor‑supplied patch addressing the XSS flaw.
  • If an update is not available or feasible, disable or remove the Blockspare plugin to eliminate the vulnerable code path.
  • Review any custom templates or code that renders Blockspare block content and ensure that output is properly escaped or sanitized in line with best practices for preventing cross‑site scripting.

Generated by OpenCVE AI on May 2, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13828 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blockspare Blockspare allows Stored XSS. This issue affects Blockspare: from n/a through 3.2.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blockspare Blockspare allows Stored XSS. This issue affects Blockspare: from n/a through 3.2.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blockspare Blockspare blockspare allows Stored XSS.This issue affects Blockspare: from n/a through <= 3.2.9.
Title WordPress Blockspare <= 3.2.9 - Cross Site Scripting (XSS) Vulnerability WordPress Blockspare plugin <= 3.2.9 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00045}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blockspare Blockspare allows Stored XSS. This issue affects Blockspare: from n/a through 3.2.9.
Title WordPress Blockspare <= 3.2.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Blockspare Blockspare
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:42.902Z

Reserved: 2025-05-07T09:39:15.825Z

Link: CVE-2025-47495

cve-icon Vulnrichment

Updated: 2025-05-07T14:47:15.344Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:03.877

Modified: 2026-04-23T15:30:20.003

Link: CVE-2025-47495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')