Description
The Useful Tab Block – Responsive & AMP-Compatible plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Useful Tab Block – Responsive & AMP-Compatible plugin allows authenticated users with Contributor level or higher to store malicious JavaScript in the ‘className’ field. Because input is not properly sanitized and output is not escaped, the injected script is saved to the post and runs in the browsers of any user who visits the page. This stored XSS can be used to hijack sessions, steal credentials, deface content, or execute arbitrary code in the context of the WordPress site.

Affected Systems

The vulnerability affects the WordPress plugin "Useful Tab Block – Responsive & AMP-Compatible" by bbc000tommy, for all releases up to and including version 1.3.2. Sites running any WordPress installation with an active instance of this plugin should verify their installed version.

Risk and Exploitability

With a CVSS score of 6.4 the flaw is considered moderate, and an EPSS score of < 1% suggests the exploitation probability is low but not negligible. Because the attack requires Contributor or higher privileges, it is unlikely to be abused remotely by an unauthenticated attacker, but anyone with the needed role (such as a legitimate contributor or an attacker who has compromised a contributor account) can inject arbitrary script. The flaw is not listed in the CISA KEV catalog, but site administrators should treat it with caution given the potential impact of XSS.

Generated by OpenCVE AI on April 21, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Useful Tab Block – Responsive & AMP-Compatible plugin to a version newer than 1.3.2, when available.
  • If an upgrade is not possible, disable the plugin or remove it from sites where Contributor‑level contributors are allowed to edit content.
  • When a temporary measure is needed, limit the plugin’s ‘className’ parameter to safe values by adding server‑side sanitization or by removing the parameter entirely from the editable fields.
  • Use a content security policy that blocks inline scripts and restricts script sources to reduce the impact of any remaining XSS injection.

Generated by OpenCVE AI on April 21, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21853 The Useful Tab Block – Responsive & AMP-Compatible plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 18 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 18 Jul 2025 05:30:00 +0000

Type Values Removed Values Added
Description The Useful Tab Block – Responsive & AMP-Compatible plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Useful Tab Block – Responsive & AMP-Compatible <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:13.073Z

Reserved: 2025-06-05T21:41:57.683Z

Link: CVE-2025-5754

cve-icon Vulnrichment

Updated: 2025-07-18T13:51:37.668Z

cve-icon NVD

Status : Deferred

Published: 2025-07-18T06:15:25.893

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:45:16Z

Weaknesses