{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9075", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-15T15:18:36.770Z", "datePublished": "2025-10-01T03:25:23.865Z", "dateUpdated": "2026-04-08T16:54:35.412Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:35.412Z"}, "affected": [{"vendor": "bdthemes", "product": "ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns <= 2.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5860d456-a992-4816-8c93-7311c33734e4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/google-map/frontend.js#L1"}, {"url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/image-gallery/frontend.js#L1"}, {"url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/progress-pie/frontend.js#L1"}, {"url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/text-path/frontend.js#L1"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3351996%40zoloblocks&new=3351996%40zoloblocks&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3369092%40zoloblocks&new=3369092%40zoloblocks&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-08-15T15:33:50.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-30T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-01T13:19:21.642801Z", "id": "CVE-2025-9075", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T13:19:35.263Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9075", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T13:19:21.642801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T13:19:31.776Z"}}], "cna": {"title": "ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns <= 2.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bdthemes", "product": "ZoloBlocks \u2013 Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-15T15:33:50.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-30T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5860d456-a992-4816-8c93-7311c33734e4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/google-map/frontend.js#L1"}, {"url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/image-gallery/frontend.js#L1"}, {"url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/progress-pie/frontend.js#L1"}, {"url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/text-path/frontend.js#L1"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3351996%40zoloblocks&new=3351996%40zoloblocks&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3369092%40zoloblocks&new=3369092%40zoloblocks&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:35.412Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9075", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:35.412Z", "dateReserved": "2025-08-15T15:18:36.770Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-01T03:25:23.865Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9075", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-01T04:16:05.480", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/google-map/frontend.js#L1"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/image-gallery/frontend.js#L1"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/progress-pie/frontend.js#L1"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zoloblocks/tags/2.3.3/build/blocks/text-path/frontend.js#L1"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3351996%40zoloblocks&new=3351996%40zoloblocks&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3369092%40zoloblocks&new=3369092%40zoloblocks&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5860d456-a992-4816-8c93-7311c33734e4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:58:18.832045+00:00", "value": {"mitigation_remediation": ["Update the ZoloBlocks plugin to the latest released version that removes the insecure input handling.", "Delete or sanitize any existing blocks that contain injected script content by editing the block attributes or clearing formatting.", "Limit access for contributor users\u2014consider downgrading them to editors or disabling the vulnerable blocks until the plugin update is applied."], "summary": {"action": "Patch Promptly", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ZoloBlocks \u2013 Gutenberg Block Editor Plugin by bdthemes. Versions up to and including 2.3.10 are vulnerable. WordPress sites with this plugin installed and that grant contributor or higher roles the ability to create or edit blocks are at risk.", "description_and_impact": "This flaw allows authenticated users with contributor privileges to embed arbitrary JavaScript into page content via multiple Gutenberg blocks. The insufficient sanitization of user\u2011supplied attributes causes the stored scripts to execute in the browsers of any visitor who loads a page containing the compromised block.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity flaw, while the EPSS score of less than 1\u202f% suggests a low likelihood of exploitation in the immediate future. The vulnerability is not listed in the CISA KEV catalog, meaning no widespread exploitation has been recorded. The attack requires authenticated contributor access, so site administrators should audit user roles, limit block editing permissions, and apply a patch as soon as possible."}}}}, "created": "2025-10-02T08:46:06.231811+00:00", "updated": "2026-04-21T19:00:36.143317+00:00", "vendors": ["bdthemes", "bdthemes$PRODUCT$zoloblocks", "wordpress", "wordpress$PRODUCT$wordpress"]}