CVE-2025-1291 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress. This vulnerability exists due to insufficient input sanitization and output escaping of the 'icon' parameter in all plugin versions up to and including 3.4.9. An authenticated attacker with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the vulnerable parameter. Because the malicious script is stored persistently, it executes in the context of any user who views the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The vulnerability does not require user interaction beyond viewing the page and has a CVSS 3.1 base score of 6.4, indicating medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed since the vulnerability can affect other users beyond the attacker. No patches or known exploits are currently reported, but the risk remains significant due to the widespread use of WordPress and the plugin's functionality. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that allow user-generated content or parameters influencing page rendering.

The impact of CVE-2025-1291 on organizations worldwide can be significant, particularly for those relying on WordPress sites with the affected plugin installed. Exploitation allows attackers with Contributor-level access to inject persistent malicious scripts, which can lead to session hijacking, unauthorized actions, data theft, or defacement of websites. This undermines the confidentiality and integrity of user data and can damage organizational reputation. Since the vulnerability does not affect availability directly, denial-of-service is less likely. However, the compromise of user accounts or administrative functions through chained attacks could escalate the impact. Organizations with multiple contributors or less restrictive user role management are at higher risk. The vulnerability also poses a risk to site visitors who may be exposed to malicious payloads. Given WordPress's global popularity, the threat can affect a broad range of sectors including e-commerce, media, education, and government websites. The absence of known exploits in the wild suggests limited active exploitation currently, but the medium CVSS score and ease of exploitation by authenticated users warrant prompt attention.

To mitigate CVE-2025-1291, organizations should first verify if they use the Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin and identify the version in use. Since no official patch is currently available, immediate mitigation steps include restricting Contributor-level user permissions to trusted individuals only and reviewing user roles to minimize unnecessary privileges. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections targeting the 'icon' parameter can help reduce risk. Administrators should audit existing content for injected scripts and remove any malicious code. Enforcing Content Security Policy (CSP) headers can limit the impact of injected scripts by restricting script sources. Monitoring logs for unusual activity related to page edits or script execution is recommended. Once a patch is released by the vendor, prompt updating of the plugin is critical. Additionally, educating contributors about safe content practices and the risks of injecting untrusted input can reduce exploitation likelihood. Regular backups and incident response plans should be maintained to recover quickly if exploitation occurs.