{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9378", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-23T00:15:30.197Z", "datePublished": "2025-09-03T06:43:10.099Z", "dateUpdated": "2026-04-08T17:14:05.603Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:05.603Z"}, "affected": [{"vendor": "themehunk", "product": "Vayu Blocks \u2013 Website Builder for the Block Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Vayu Blocks \u2013 Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attributes in the Lottie block in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Vayu Blocks <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a92d53ab-9c59-4c9c-93e5-32dd05246249?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vayu-blocks/tags/1.3.5/trunk/inc/render/lottie/lottie.php#L102"}, {"url": "https://plugins.trac.wordpress.org/changeset/3351839/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}, {"lang": "en", "type": "finder", "value": "Jimmy Goucher"}], "timeline": [{"time": "2025-09-02T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-03T19:44:37.937987Z", "id": "CVE-2025-9378", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T19:44:48.858Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9378", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-03T19:44:37.937987Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T19:44:44.833Z"}}], "cna": {"title": "Vayu Blocks <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}, {"lang": "en", "type": "finder", "value": "Jimmy Goucher"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themehunk", "product": "Vayu Blocks \u2013 Website Builder for the Block Editor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-02T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a92d53ab-9c59-4c9c-93e5-32dd05246249?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vayu-blocks/tags/1.3.5/trunk/inc/render/lottie/lottie.php#L102"}, {"url": "https://plugins.trac.wordpress.org/changeset/3351839/"}], "descriptions": [{"lang": "en", "value": "The Vayu Blocks \u2013 Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attributes in the Lottie block in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:05.603Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9378", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:14:05.603Z", "dateReserved": "2025-08-23T00:15:30.197Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-03T06:43:10.099Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Vayu Blocks \u2013 Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attributes in the Lottie block in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9378", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-03T07:15:34.350", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vayu-blocks/tags/1.3.5/trunk/inc/render/lottie/lottie.php#L102"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3351839/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a92d53ab-9c59-4c9c-93e5-32dd05246249?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:44:45.584105+00:00", "value": {"mitigation_remediation": ["Upgrade Vayu Blocks to a version newer than 1.3.9 if available", "If an upgrade is not possible, remove or deactivate the Lottie block from all existing pages until a fix is released", "Restrict Contributor or higher roles from adding or editing blocks that allow custom attributes, or enforce strict content filtering for the Lottie block"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via block attributes"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Vayu Blocks \u2013 Website Builder for the Block Editor developed by Themehunk. All versions of the plugin up to and including 1.3.9 are impacted. The flaw exists in the handling of attributes for the Lottie block and is not limited to a specific sub\u2011feature or configuration.", "description_and_impact": "The Vayu Blocks \u2013 Website Builder for the Block Editor plugin contains insufficient input sanitization and output escaping for the Lottie block in all releases up to 1.3.9. Authenticated users with Contributor access or higher can inject arbitrary JavaScript into block attributes, which is stored and executed when any user opens the affected page. This flaw enables a persistent cross\u2011site scripting attack that affects the confidentiality and integrity of the site\u2019s users\u2019 browsers without requiring additional privileges.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker must first obtain Contributor\u2011level or higher authentication, then supply malicious content in a block attribute; the injected script is persisted and will fire for every visitor who loads the amended page. Given the moderate severity and limited exploit probability, the risk is moderate, but the impact remains significant for users who visit the compromised pages."}}}}, "created": "2025-09-03T19:30:20.890125+00:00", "updated": "2026-04-20T19:45:15.515152+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}