{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14985", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-19T18:47:47.349Z", "datePublished": "2026-01-24T07:26:44.302Z", "dateUpdated": "2026-04-08T17:01:08.331Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:08.331Z"}, "affected": [{"vendor": "robiulawal40", "product": "Alpha Blocks", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018alpha_block_css\u2019 parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Alpha Blocks <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alpha_block_css' Post Meta", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/745dcc4c-1c52-4ac7-9ac6-033770282a3b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/alpha-blocks/tags/1.5.0/class/block_inline_style.php#L175"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-13T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-23T19:21:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:19:37.327594Z", "id": "CVE-2025-14985", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:19:43.352Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14985", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:19:37.327594Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:19:40.303Z"}}], "cna": {"title": "Alpha Blocks <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alpha_block_css' Post Meta", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "robiulawal40", "product": "Alpha Blocks", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.5.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-13T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-23T19:21:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/745dcc4c-1c52-4ac7-9ac6-033770282a3b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/alpha-blocks/tags/1.5.0/class/block_inline_style.php#L175"}], "descriptions": [{"lang": "en", "value": "The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018alpha_block_css\u2019 parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-24T07:26:44.302Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14985", "state": "PUBLISHED", "dateUpdated": "2026-01-26T18:19:43.352Z", "dateReserved": "2025-12-19T18:47:47.349Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T07:26:44.302Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018alpha_block_css\u2019 parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Alpha Blocks para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'alpha_block_css' en todas las versiones hasta la 1.5.0, inclusive, debido a una sanitizaci\u00f3n insuficiente de la entrada y un escape de la salida. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-14985", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T08:16:06.763", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/alpha-blocks/tags/1.5.0/class/block_inline_style.php#L175"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/745dcc4c-1c52-4ac7-9ac6-033770282a3b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:11:58.528589+00:00", "value": {"mitigation_remediation": ["Upgrade the Alpha Blocks plugin to the latest version that removes the vulnerability (must be greater than 1.5.0).", "If an upgrade is not possible, restrict or remove the ability of Contributor and higher role users to edit the alpha_block_css field, or remove the field entirely from block settings.", "Enable a content\u2011security policy that blocks inline scripts to reduce the impact of any remaining stored XSS."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Vulnerable versions are all releases of Alpha Blocks up to and including 1.5.0, a plugin distributed by robiulawal40. The flaw can affect any WordPress installation that has the plugin installed and accepts contributor or higher privileged users.", "description_and_impact": "The vulnerability originates from insufficient input sanitization of the alpha_block_css parameter in the Alpha Blocks WordPress plugin. Because the plugin outputs the value without proper escaping, an attacker can store malicious JavaScript that will run in the browser context of any user who views the affected page. This is a classic stored XSS flaw (CWE\u201179). The impact is that the attacker can steal credentials, session cookies or perform other client\u2011side attacks against users of the WordPress site.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity vulnerability. The EPSS score of less than 1\u202f% shows that the likelihood of public exploitation is currently low, and the flaw is not listed in the CISA KEV catalog. However, exploitation requires authenticated access with Contributor\u2011level permissions, making it accessible to users who can create or edit blocks. If such accounts exist, an attacker can inject code that will be executed whenever another site visitor loads a block containing the stored CSS. The attack vector is therefore origin\u2011controlled input from a logged\u2011in user."}}}}, "created": "2026-01-26T11:48:33.130777+00:00", "updated": "2026-04-21T16:15:40.506640+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}