{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5940", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-09T16:00:30.622Z", "datePublished": "2025-06-27T07:22:22.816Z", "dateUpdated": "2026-04-08T16:53:24.707Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:24.707Z"}, "affected": [{"vendor": "osompress", "product": "Osom Blocks", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Osom Blocks \u2013 Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018class_name\u2019 parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Osom Blocks <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/54e022df-0dc7-4f60-811d-48a92b723d55?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/osomblocks/trunk/blocks/cpt-list/index.php#L171"}, {"url": "https://wordpress.org/plugins/osomblocks/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3320673%40osomblocks&new=3320673%40osomblocks&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-06-26T19:06:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-27T13:49:04.816245Z", "id": "CVE-2025-5940", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-27T13:50:10.976Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5940", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-27T13:49:04.816245Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-27T13:50:07.281Z"}}], "cna": {"title": "Osom Blocks <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "osompress", "product": "Osom Blocks", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-26T19:06:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/54e022df-0dc7-4f60-811d-48a92b723d55?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/osomblocks/trunk/blocks/cpt-list/index.php#L171"}, {"url": "https://wordpress.org/plugins/osomblocks/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3320673%40osomblocks&new=3320673%40osomblocks&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Osom Blocks \u2013 Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018class_name\u2019 parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:24.707Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5940", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:53:24.707Z", "dateReserved": "2025-06-09T16:00:30.622Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-27T07:22:22.816Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osompress:osom_blocks:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "B3C0FFC2-E354-443A-A2D6-42D417F81E7E", "versionEndExcluding": "1.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Osom Blocks \u2013 Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018class_name\u2019 parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Osom Blocks \u2013 Custom Post Type listing block para WordPress es vulnerable a cross site scripting almacenado a trav\u00e9s del par\u00e1metro 'class_name' en todas las versiones hasta la 1.2.1 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5940", "lastModified": "2026-04-08T18:24:58.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-27T08:15:22.857", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/osomblocks/trunk/blocks/cpt-list/index.php#L171"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3320673%40osomblocks&new=3320673%40osomblocks&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/osomblocks/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/54e022df-0dc7-4f60-811d-48a92b723d55?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:12:09.215709+00:00", "value": {"mitigation_remediation": ["Update the Osom Blocks plugin to the latest release that includes a patch for the class_name XSS issue. If no public fix is announced, contact the vendor for a release note or temporary advisory.", "Remove or disable the use of blocks that accept a class_name parameter on pages until a patched version is available, replacing them with safe, static content.", "Audit all existing posts and pages that include Osom Blocks to identify and delete any malicious script payloads that may have been injected previously, ensuring the database does not persist harmful code.", "Enforce least\u2011privilege on WordPress contributors to limit the risk of unauthorized script injections."], "summary": {"action": "Update Plugin", "impact": "Stored Cross-site scripting leading to arbitrary JavaScript execution by authenticated contributors"}, "threat_synthesis": {"affected_systems": "All publicly released versions of the Osom Blocks plugin for WordPress from the vendor osompress, including version 1.2.1 and earlier, are affected. Any WordPress site that installs the plugin and has contributors or higher roles is potentially vulnerable, regardless of which theme or other plugins are in use. No information is available indicating that later releases contain a fix, so site owners should check the plugin\u2019s update channel or vendor announcements for an approved patch.", "description_and_impact": "The Osom Blocks \u2013 Custom Post Type listing block plugin for WordPress contains a Stored Cross-site Scripting vulnerability that originates from insufficient input sanitization and output escaping of the class_name field. As a result, an authenticated user with Contributor privileges or higher can inject arbitrary JavaScript into block listings, with the payload persisting in the database and executing whenever a victim visits a page that renders the injected block. These client\u2011side scripts can be used to steal session cookies, deface content, or otherwise perform malicious actions on behalf of the victim user.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, placing it in the moderate severity range, and an EPSS score of less than 1%, suggesting a relatively low likelihood of exploitation in the wild at the time of analysis. It is not listed in the CISA KEV catalog. Exploitation requires an authenticated session with Contributor or higher privilege; the attacker must create or edit a block with a crafted class_name value that is rendered without proper escaping. Successful exploitation would lead to arbitrary script execution in the victim\u2019s browser, enabling theft of credentials, defacement, or further compromise of the site."}}}}, "created": "2025-07-13T21:48:07.558815+00:00", "updated": "2026-04-22T01:15:07.313838+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}