Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through <= 1.2.8.
Published: 2026-03-19
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation that permits malicious scripts to be reflected in browser responses. An attacker can craft a URL or input containing JavaScript code that is executed in the victim’s browser when the page is loaded, potentially enabling credential theft, session hijacking, or defacement. The weakness corresponds to CWE‑79 and can compromise the confidentiality and integrity of the affected site.

Affected Systems

The flaw affects the ThemeHunk Gutenberg Blocks"Unlimited Blocks For Gutenberg" plugin on WordPress installations with version 1.2.8 or earlier. Sites using this plugin, regardless of other WordPress components, are vulnerable until the plugin is upgraded beyond the stated limit.

Risk and Exploitability

The EPSS score is below 1%, indicating a low probability of widespread exploitation, and the vulnerability has not been listed in the CISA KEV catalog. However, the attack vector is likely remote via a crafted URL or form input, requiring the victim to visit a malicious link. The CVSS severity is not explicitly provided, but the presence of reflected XSS typically translates to a moderate to high impact if it can reach privileged users. Until patched, the vulnerability remains actively exploitable by opportunistic actors.

Generated by OpenCVE AI on April 2, 2026 at 03:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Gutenberg Blocks plugin to a version newer than 1.2.8; if an update is not immediately available, disable or delete the plugin to eliminate the attack surface.
  • Exercise caution when visiting unfamiliar URLs on sites that use this plugin, and ensure site administrators scrutinize URLs accessed by users to detect potential malicious injections.
  • Verify that all other components of the WordPress installation are current, as unpatched versions may provide additional vectors for XSS or related attacks.

Generated by OpenCVE AI on April 2, 2026 at 03:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through 1.2.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through <= 1.2.8.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Themehunk
Themehunk gutenberg Blocks
Wordpress
Wordpress wordpress
Vendors & Products Themehunk
Themehunk gutenberg Blocks
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through 1.2.8.
Title WordPress Gutenberg Blocks – Unlimited blocks For Gutenberg plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Themehunk Gutenberg Blocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T16:00:42.295Z

Reserved: 2026-02-02T12:53:40.963Z

Link: CVE-2026-25438

cve-icon Vulnrichment

Updated: 2026-03-19T13:59:35.991Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T09:16:17.113

Modified: 2026-04-01T17:28:35.630

Link: CVE-2026-25438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:53Z

Weaknesses