Description
The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-01
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Promptly
AI Analysis

Impact

This flaw allows authenticated users with contributor privileges to embed arbitrary JavaScript into page content via multiple Gutenberg blocks. The insufficient sanitization of user‑supplied attributes causes the stored scripts to execute in the browsers of any visitor who loads a page containing the compromised block.

Affected Systems

The vulnerability affects the ZoloBlocks – Gutenberg Block Editor Plugin by bdthemes. Versions up to and including 2.3.10 are vulnerable. WordPress sites with this plugin installed and that grant contributor or higher roles the ability to create or edit blocks are at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity flaw, while the EPSS score of less than 1 % suggests a low likelihood of exploitation in the immediate future. The vulnerability is not listed in the CISA KEV catalog, meaning no widespread exploitation has been recorded. The attack requires authenticated contributor access, so site administrators should audit user roles, limit block editing permissions, and apply a patch as soon as possible.

Generated by OpenCVE AI on April 21, 2026 at 18:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ZoloBlocks plugin to the latest released version that removes the insecure input handling.
  • Delete or sanitize any existing blocks that contain injected script content by editing the block attributes or clearing formatting.
  • Limit access for contributor users—consider downgrading them to editors or disabling the vulnerable blocks until the plugin update is applied.

Generated by OpenCVE AI on April 21, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31818 The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 02 Oct 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bdthemes
Bdthemes zoloblocks
Wordpress
Wordpress wordpress
Vendors & Products Bdthemes
Bdthemes zoloblocks
Wordpress
Wordpress wordpress

Wed, 01 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Oct 2025 03:30:00 +0000

Type Values Removed Values Added
Description The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns <= 2.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Bdthemes Zoloblocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:35.412Z

Reserved: 2025-08-15T15:18:36.770Z

Link: CVE-2025-9075

cve-icon Vulnrichment

Updated: 2025-10-01T13:19:31.776Z

cve-icon NVD

Status : Deferred

Published: 2025-10-01T04:16:05.480

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:00:36Z

Weaknesses