Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.23.
Published: 2025-12-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from improper neutralization of user input when Generating web page content, allowing an attacker to inject malicious scripts that are stored and later rendered to visitors. The stored XSS can execute arbitrary client‑side code, enabling session hijacking, defacement, or delivery of malware in the victim’s browser. The weakness is a classic input‑validation flaw classified as CWE‑79.

Affected Systems

The affected product is PickPlugins Post Grid and Gutenberg Blocks for WordPress, with all releases through version 2.3.23 susceptible to the flaw.

Risk and Exploitability

The reported CVSS score of 6.5 reflects a moderate impact, while the EPSS score of < 1% suggests a low probability of exploitation at present. The vulnerability is not yet cataloged in CISA’s KEV list. The likely attack path involves a content author or administrator injecting a crafted block that contains malicious JavaScript; because the payload is stored, any subsequent page view will execute the script in the victim’s browser context.

Generated by OpenCVE AI on April 29, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Post Grid and Gutenberg Blocks plugin to version 2.3.24 or later to remove the stored XSS flaw.
  • Review and sanitize existing blocks and pages that may contain unsanitized content; re‑save affected pages to ensure the output is sanitized.
  • Conduct a site‑wide content audit to identify and delete any injected scripts and verify that no new XSS vectors are present.

Generated by OpenCVE AI on April 29, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.18. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.23.
Title WordPress Post Grid and Gutenberg Blocks plugin <= 2.3.18 - Cross Site Scripting (XSS) vulnerability WordPress Post Grid and Gutenberg Blocks plugin <= 2.3.23 - Cross Site Scripting (XSS) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Pickplugins
Pickplugins post Grid
Wordpress
Wordpress wordpress
Vendors & Products Pickplugins
Pickplugins post Grid
Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.18.
Title WordPress Post Grid and Gutenberg Blocks plugin <= 2.3.18 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Pickplugins Post Grid
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:31.280Z

Reserved: 2025-12-19T10:20:18.891Z

Link: CVE-2025-68605

cve-icon Vulnrichment

Updated: 2025-12-24T18:43:40.278Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:28.060

Modified: 2026-04-27T19:16:36.287

Link: CVE-2025-68605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:30:17Z

Weaknesses