Impact
The Gutenberg Essential Blocks plugin for WordPress allows a stored cross‑site scripting vulnerability through the ‘configurablePrefix’ block attribute. This vulnerability arises from insufficient input sanitization and output escaping, enabling authenticated users with Contributor or higher privileges to embed arbitrary JavaScript that will run whenever a page containing the injected block is viewed. Successful exploitation can lead to defacement, session hijacking, or malicious code execution on the victim’s browser, affecting the confidentiality and integrity of site content and user sessions.
Affected Systems
WordPress sites using the Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin, versions up to and including 6.1.4. The vulnerability is present in all installations of that plugin where the block attribute exists and does not require any additional plugins or configuration changes.
Risk and Exploitability
The CVSS score of 6.4 indicates a moderate severity, and the EPSS score is not available, making it difficult to gauge current exploit prevalence. It is not listed in the CISA KEV catalog. The attack vector requires an authenticated user with at least Contributor access, meaning it is not publicly exploitable without login credentials but is accessible to legitimate users with moderate privileges. Once injected, the payload persists until the block data is removed, so the risk persists as long as the vulnerable plugin version is in use.
OpenCVE Enrichment