{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5923", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-09T14:05:26.746Z", "datePublished": "2025-06-13T06:41:23.711Z", "dateUpdated": "2026-04-08T17:05:16.110Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:16.110Z"}, "affected": [{"vendor": "marcdk", "product": "Game Review Block", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.8.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018className\u2019 parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Game Review Block <= 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/88520d8e-8e13-4b58-9df3-3b99afd39144?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/game-review-block/tags/4.7.0/src/game-table/callback.php#L38"}, {"url": "https://wordpress.org/plugins/game-review-block/#developers"}, {"url": "https://github.com/mtoensing/game-review-block/commit/135aa118b75db5242df7fd1ef13cc09ec3410f3a"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-06-09T16:22:13.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-06-12T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-13T14:01:39.713678Z", "id": "CVE-2025-5923", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T14:01:46.170Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5923", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-13T14:01:39.713678Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T14:01:43.256Z"}}], "cna": {"title": "Game Review Block <= 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "marcdk", "product": "Game Review Block", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.8.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-09T16:22:13.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-06-12T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/88520d8e-8e13-4b58-9df3-3b99afd39144?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/game-review-block/tags/4.7.0/src/game-table/callback.php#L38"}, {"url": "https://wordpress.org/plugins/game-review-block/#developers"}, {"url": "https://github.com/mtoensing/game-review-block/commit/135aa118b75db5242df7fd1ef13cc09ec3410f3a"}], "descriptions": [{"lang": "en", "value": "The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018className\u2019 parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-06-13T06:41:23.711Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5923", "state": "PUBLISHED", "dateUpdated": "2025-06-13T14:01:46.170Z", "dateReserved": "2025-06-09T14:05:26.746Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-13T06:41:23.711Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018className\u2019 parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Game Review Block para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'className' en todas las versiones hasta la 4.8.1 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5923", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-13T07:15:22.663", "references": [{"source": "security@wordfence.com", "url": "https://github.com/mtoensing/game-review-block/commit/135aa118b75db5242df7fd1ef13cc09ec3410f3a"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/game-review-block/tags/4.7.0/src/game-table/callback.php#L38"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/game-review-block/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/88520d8e-8e13-4b58-9df3-3b99afd39144?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:16:12.835087+00:00", "value": {"mitigation_remediation": ["Upgrade the Game Review Block plugin to the latest available version (4.8.2 or later).", "If an upgrade is not immediately possible, revoke or downgrade Contributor privileges for users that can edit blocks until the patch is applied.", "After applying the patch, perform a site\u2011wide audit of blocks to confirm no residual malicious scripts remain."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Marcdk\u2019s Game Review Block plugin for WordPress, versions 4.8.1 and earlier, is affected. Any installation of these versions must be verified and updated.", "description_and_impact": "The Game Review Block plugin for WordPress is vulnerable to stored cross\u2011site scripting through the className parameter in all versions up to 4.8.1. Insufficient input sanitization and output escaping allow an attacker who has at least Contributor level access to inject arbitrary web scripts that will execute whenever another user views the injected page. This flaw can be used to deface content, steal user credentials, or perform other malicious actions within the site\u2019s authenticated context.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, but the EPSS score of less than 1% suggests exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires a user with Contributor or higher privileges to inject the payload; from that point the scripts run with the privileges of the affected site visitor. The lack of broader access permissions limits the scope to authenticated users who view compromised pages."}}}}, "created": "2026-04-21T20:30:27.393627+00:00", "updated": "2026-04-21T20:30:27.393638+00:00", "vendors": []}