{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4420", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-08T00:07:55.910Z", "datePublished": "2025-06-03T08:21:53.379Z", "dateUpdated": "2026-04-08T17:27:28.775Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:28.775Z"}, "affected": [{"vendor": "themehunk", "product": "Vayu Blocks \u2013 Website Builder for the Block Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Vayu Blocks \u2013 Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018containerWidth\u2019 parameter in all versions up to, and including, 1.3.1 due to a missing capability check on the vayu_blocks_option_panel_callback() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Vayu Blocks <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via containerWidth Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db01bc0a-4508-4fb5-941d-3f1a52528e2b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vayu-blocks/trunk/inc/admin-api.php#L6"}, {"url": "https://wordpress.org/plugins/vayu-blocks/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3303594/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Cheng Liu"}], "timeline": [{"time": "2025-06-02T20:13:10.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-03T13:28:06.550343Z", "id": "CVE-2025-4420", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-03T13:28:12.793Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4420", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-03T13:28:06.550343Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-03T13:28:09.612Z"}}], "cna": {"title": "Vayu Blocks <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via containerWidth Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Cheng Liu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themehunk", "product": "Vayu Blocks \u2013 Website Builder for the Block Editor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-02T20:13:10.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db01bc0a-4508-4fb5-941d-3f1a52528e2b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vayu-blocks/trunk/inc/admin-api.php#L6"}, {"url": "https://wordpress.org/plugins/vayu-blocks/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3303594/"}], "descriptions": [{"lang": "en", "value": "The Vayu Blocks \u2013 Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018containerWidth\u2019 parameter in all versions up to, and including, 1.3.1 due to a missing capability check on the vayu_blocks_option_panel_callback() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:28.775Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4420", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:27:28.775Z", "dateReserved": "2025-05-08T00:07:55.910Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-03T08:21:53.379Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Vayu Blocks \u2013 Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018containerWidth\u2019 parameter in all versions up to, and including, 1.3.1 due to a missing capability check on the vayu_blocks_option_panel_callback() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Vayu Blocks \u2013 Gutenberg Blocks para WordPress y WooCommerce es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'containerWidth' en todas las versiones hasta la 1.3.1 incluida, debido a la falta de una comprobaci\u00f3n de capacidad en la funci\u00f3n vayu_blocks_option_panel_callback() y a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-4420", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-03T09:15:22.673", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vayu-blocks/trunk/inc/admin-api.php#L6"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3303594/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/vayu-blocks/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db01bc0a-4508-4fb5-941d-3f1a52528e2b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:27:10.804815+00:00", "value": {"mitigation_remediation": ["Immediately update the Vayu Blocks plugin to any version newer than 1.3.1, where the containerWidth input is validated and proper capability checks are enforced.", "If an update cannot be applied, reduce or remove the permissions that allow Subscribers to edit block settings, or employ a capability management plugin to block access to the containerWidth parameter.", "Add a custom sanitization filter that strips script tags or enforces numeric input on the containerWidth field before it is stored, ensuring only benign values are accepted.", "Discontinue use of the Vayu Blocks plugin until a patch is released."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting that permits authenticated users with at least Subscriber level to insert arbitrary scripts into pages, which execute for any visitor"}, "threat_synthesis": {"affected_systems": "Themehunk\u2019s Vayu Blocks \u2013 Website Builder for the Block Editor is affected in all releases up to and including version 1.3.1. No other versions were mentioned by the CNA. The plugin runs in WordPress sites that have been installed with those versions.", "description_and_impact": "The Vayu Blocks plugin for WordPress allows a stored cross\u2011site scripting flaw via the containerWidth parameter. The flaw occurs because the option panel callback lacks a capability check and the parameter is not properly sanitized or escaped. Attackers who can authenticate as a Subscriber or higher can inject malicious JavaScript that will run every time a user visits an affected page. Based on the description, it is inferred that the injected scripts could be used to deface content, steal session cookies, or execute other malicious actions in the context of the site visitor.", "risk_and_exploitability": "The CVSS base score of 6.4 signals moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not in the CISA KEV catalog. Exploitation requires only authenticated access with Subscriber privileges on a WordPress instance; an attacker would use the plugin\u2019s option panel to submit a containerWidth value that includes malicious code. Once stored, the code executes in the browser context of any visitor who loads the modified block, making it a serious threat to confidentiality, integrity, and availability of the site\u2019s users."}}}}, "created": "2026-04-22T01:30:05.237198+00:00", "updated": "2026-04-22T01:30:05.237208+00:00", "vendors": []}