Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Gutenberg Blocks advanced-gutenberg allows Stored XSS.This issue affects Gutenberg Blocks: from n/a through <= 3.3.1.
Published: 2025-07-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a failure to neutralize user input during rendering in the PublishPress Gutenberg Blocks plugin, which allows stored cross‑site scripting for all releases up to version 3.3.1. This flaw permits an attacker to embed malicious JavaScript that will be executed in the browsers of any visitor who views a Gutenberg block that contains the injected payload.

Affected Systems

WordPress sites that have the PublishPress Gutenberg Blocks plugin installed at versions 3.3.1 or earlier are at risk. The CVE entry does not specify a fixed version, but any release after 3.3.1 is expected to contain a fix.

Risk and Exploitability

Based on the description, the likely attack vector is web‑based: an attacker with sufficient editorial permissions could create or update a Gutenberg block that includes malicious script, which will then execute in the browsers of all site visitors. The CVSS base score of 6.5 indicates moderate severity, and the EPSS score of less than 1% signals a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 1, 2026 at 07:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gutenberg Blocks plugin to the latest release (≥3.4.0) which includes a patch for the stored XSS flaw.
  • If an upgrade cannot be performed immediately, delete or rewrite any Gutenberg block content that may contain unsanitized user input and restrict block editing rights to trusted users only.
  • As a temporary mitigation, implement a Content Security Policy that blocks inline scripts or install a WordPress security plugin that actively filters and blocks XSS payloads.

Generated by OpenCVE AI on May 1, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19864 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Gutenberg Blocks allows Stored XSS.This issue affects Gutenberg Blocks: from n/a through 3.3.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Gutenberg Blocks allows Stored XSS.This issue affects Gutenberg Blocks: from n/a through 3.3.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Gutenberg Blocks advanced-gutenberg allows Stored XSS.This issue affects Gutenberg Blocks: from n/a through <= 3.3.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Gutenberg Blocks allows Stored XSS.This issue affects Gutenberg Blocks: from n/a through 3.3.1.
Title WordPress Gutenberg Blocks plugin <= 3.3.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:57.727Z

Reserved: 2025-05-30T14:04:14.279Z

Link: CVE-2025-49032

cve-icon Vulnrichment

Updated: 2025-07-03T13:04:10.056Z

cve-icon NVD

Status : Deferred

Published: 2025-07-03T13:15:28.540

Modified: 2026-04-23T15:31:11.793

Link: CVE-2025-49032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:15:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')