Description
The Gutenberg Blocks – PublishPress Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Marker Title' and 'Marker Description' parameters for the Maps block in versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-25
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting (client-side code execution)
Action: Immediate Patch
AI Analysis

Impact

The PublishPress Blocks plugin for WordPress is vulnerable to stored cross-site scripting through the Marker Title and Marker Description fields used in the Maps block. Insufficient input sanitization and output escaping allow an attacker who can authenticate as a contributor or higher to insert arbitrary JavaScript that will execute whenever any user loads a page containing the injected content. This can result in session hijacking, credential theft, and other client-side attacks or unauthorized content manipulation.

Affected Systems

The vulnerability affects the PublishPress Blocks – Block Controls, Block Visibility, Block Permissions plugin for WordPress, specifically versions up to and including 3.3.4. Any WordPress site running this plugin with contributor-level access or higher is at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the near term. Because the vulnerability is not listed in CISA's KEV catalog, it is not known to have been exploited in the wild. The attack requires authenticated access with contributor-level or higher privileges, which many content-based sites may grant. Once exploited, scripts injected via Marker fields run in the browser context of any user who visits the affected page.

Generated by OpenCVE AI on April 21, 2026 at 02:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PublishPress Blocks to version 3.3.5 or later, which removes the vulnerable processing of Marker Title and Marker Description fields.
  • If an upgrade is not immediately possible, delete or sanitize existing Marker Title and Marker Description content in all Maps blocks to eliminate stored scripts.
  • Review any custom block registrations or third‑party extensions that use the Maps block to ensure they properly escape or sanitize input before rendering.

Generated by OpenCVE AI on April 21, 2026 at 02:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Gutenberg Blocks – PublishPress Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Marker Title' and 'Marker Description' parameters for the Maps block in versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks <= 3.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:56.375Z

Reserved: 2025-08-05T09:34:58.894Z

Link: CVE-2025-8588

cve-icon Vulnrichment

Updated: 2025-10-27T15:51:00.577Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T06:15:36.997

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:15:06Z

Weaknesses