Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ultimate Blocks Ultimate Blocks ultimate-blocks allows Stored XSS.This issue affects Ultimate Blocks: from n/a through <= 3.3.6.
Published: 2025-10-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows an attacker to store arbitrary JavaScript or HTML in the Ultimate Blocks plugin content. When other users view the affected page, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or credential theft.

Affected Systems

The vulnerability exists in the Ultimate Blocks plugin for WordPress, versions up to and including 3.3.6. Any WordPress site that installs this plugin and uses it to create or display content is potentially exposed.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity rating. The EPSS score of less than 1 % and absence from the CISA KEV catalogue suggest a low likelihood of widespread exploitation. Based on the description, the vulnerability appears to be exploitable by an attacker who can insert content via the plugin’s block editor; the malicious payload is then stored and rendered for all visitors who view the affected page. This inference is derived from the stored‑XSS nature of the flaw, though the public data does not specify required authentication or specific privileges.

Generated by OpenCVE AI on April 29, 2026 at 23:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ultimate Blocks to a version newer than 3.3.6 to apply the vendor‑provided fix.
  • If an upgrade is not immediately feasible, disable the plugin or remove any user‑supplied blocks to prevent the execution of stored scripts.
  • Apply server‑side input validation or enforce a Content Security Policy that disallows inline scripts from user content.

Generated by OpenCVE AI on April 29, 2026 at 23:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Ultimateblocks
Ultimateblocks ultimateblocks
Wordpress
Wordpress wordpress
Vendors & Products Ultimateblocks
Ultimateblocks ultimateblocks
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ultimate Blocks Ultimate Blocks ultimate-blocks allows Stored XSS.This issue affects Ultimate Blocks: from n/a through <= 3.3.6.
Title WordPress Ultimate Blocks plugin <= 3.3.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Ultimateblocks Ultimateblocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:25:12.288Z

Reserved: 2025-06-11T16:07:08.211Z

Link: CVE-2025-49929

cve-icon Vulnrichment

Updated: 2025-10-23T15:22:06.508Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:38.970

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:00:14Z

Weaknesses