Description
The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Game Review Block plugin for WordPress is vulnerable to stored cross‑site scripting through the className parameter in all versions up to 4.8.1. Insufficient input sanitization and output escaping allow an attacker who has at least Contributor level access to inject arbitrary web scripts that will execute whenever another user views the injected page. This flaw can be used to deface content, steal user credentials, or perform other malicious actions within the site’s authenticated context.

Affected Systems

Marcdk’s Game Review Block plugin for WordPress, versions 4.8.1 and earlier, is affected. Any installation of these versions must be verified and updated.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, but the EPSS score of less than 1% suggests exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires a user with Contributor or higher privileges to inject the payload; from that point the scripts run with the privileges of the affected site visitor. The lack of broader access permissions limits the scope to authenticated users who view compromised pages.

Generated by OpenCVE AI on April 21, 2026 at 20:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Game Review Block plugin to the latest available version (4.8.2 or later).
  • If an upgrade is not immediately possible, revoke or downgrade Contributor privileges for users that can edit blocks until the patch is applied.
  • After applying the patch, perform a site‑wide audit of blocks to confirm no residual malicious scripts remain.

Generated by OpenCVE AI on April 21, 2026 at 20:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18255 The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00034}

 epss

{'score': 0.00039}

Fri, 13 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Jun 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Game Review Block <= 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:16.110Z

Reserved: 2025-06-09T14:05:26.746Z

Link: CVE-2025-5923

cve-icon Vulnrichment

Updated: 2025-06-13T14:01:43.256Z

cve-icon NVD

Status : Deferred

Published: 2025-06-13T07:15:22.663

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:30:27Z

Weaknesses