{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3661", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-15T19:13:50.396Z", "datePublished": "2025-04-19T09:23:02.626Z", "dateUpdated": "2026-04-08T17:33:37.050Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:37.050Z"}, "affected": [{"vendor": "bobbingwide", "product": "SB Chart block", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SB Chart block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018className\u2019 parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "SB Chart block <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6afe4b6-c38c-46fa-82d5-95cb35c2c30f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sb-chart-block/trunk/sb-chart-block.php#L104"}, {"url": "https://wordpress.org/plugins/sb-chart-block/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3276462/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-04-18T20:33:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-21T14:58:57.398427Z", "id": "CVE-2025-3661", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T15:01:19.739Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3661", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-21T14:58:57.398427Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T14:59:24.758Z"}}], "cna": {"title": "SB Chart block <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bobbingwide", "product": "SB Chart block", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-18T20:33:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6afe4b6-c38c-46fa-82d5-95cb35c2c30f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sb-chart-block/trunk/sb-chart-block.php#L104"}, {"url": "https://wordpress.org/plugins/sb-chart-block/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3276462/"}], "descriptions": [{"lang": "en", "value": "The SB Chart block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018className\u2019 parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:37.050Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3661", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:37.050Z", "dateReserved": "2025-04-15T19:13:50.396Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-19T09:23:02.626Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SB Chart block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018className\u2019 parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento SB Chart block para WordPress es vulnerable a Cross Site Scripting almacenado a trav\u00e9s del par\u00e1metro 'className' en todas las versiones hasta la 1.2.6 incluida, debido a una depuraci\u00f3n de entrada y al escape de salida insuficiente. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-3661", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-19T10:15:14.200", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sb-chart-block/trunk/sb-chart-block.php#L104"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3276462/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/sb-chart-block/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6afe4b6-c38c-46fa-82d5-95cb35c2c30f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:13:02.007102+00:00", "value": {"mitigation_remediation": ["Update SB Chart block to version 1.2.7 or later, which removes the vulnerability.", "If an immediate update is not possible, restrict Contributor and higher roles from using the block, or remove the className field when rendering the content.", "Implement server\u2011side sanitization of the className parameter and ensure proper output escaping to eliminate XSS vectors."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting for authenticated users with Contributor or higher access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the SB Chart block plugin from bobbingwide, specifically all releases up to and including version 1.2.6. Users running any of these versions are at risk, while newer releases beyond 1.2.6 are not impacted.", "description_and_impact": "The SB Chart block plugin contains a stored XSS vulnerability that arises from insufficient input sanitization of the className parameter. When an authenticated user with Contributor privileges or higher injects malicious JavaScript via this field, the payload is saved in the database and executed each time anyone views the affected page. Attackers can hijack user sessions, deface content, or steal sensitive information, and the flaw persists until the data is removed or the plugin is updated.", "risk_and_exploitability": "With a CVSS score of 6.4 the flaw is considered moderate, and the EPSS score of < 1% indicates a low probability of exploitation in the wild. The vulnerability is not currently listed in CISA\u2019s KEV catalog. Exploitation requires the plugin to be installed and an attacker to have at least Contributor access; the attack path involves submitting a block with a crafted className value, which is then stored and rendered for all visitors. Due to the authenticated requirement, the risk is contained to sites with exposed Contributor accounts, but the impact on the site's user base can still be significant."}}}}, "created": "2026-04-20T23:15:06.310440+00:00", "updated": "2026-04-20T23:15:06.310450+00:00", "vendors": []}