CVE-2025-13697 is a stored cross-site scripting vulnerability classified under CWE-79, found in the BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks, WordPress Block Plugin, Sections & Template Library plugin. This vulnerability affects all versions up to and including 2.2.13. The root cause is insufficient input sanitization and output escaping of the 'timestamp' attribute, which is used during web page generation. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'timestamp' attribute. Because the injected script is stored persistently in the plugin’s data and rendered on pages, it executes whenever any user accesses the affected page. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or defacement of website content. The vulnerability does not require user interaction for the script to execute, but it does require the attacker to have authenticated access with at least Contributor permissions, which is a moderate barrier. The CVSS 3.1 score of 6.4 reflects a medium severity level, with a vector indicating network attack vector, low attack complexity, privileges required, no user interaction, and impacts on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin is widely used in WordPress environments for page building and content management, making the vulnerability relevant to many websites globally.

The impact of CVE-2025-13697 is significant for organizations relying on the BlockArt Blocks plugin for WordPress content management. Successful exploitation allows attackers to inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts, including administrative accounts. Attackers may also perform actions on behalf of users, manipulate website content, or redirect users to malicious sites. The compromise of site integrity can damage organizational reputation and trust. Although availability is not directly affected, the confidentiality and integrity impacts can lead to broader security incidents, including data breaches and further exploitation of the compromised environment. Since exploitation requires authenticated access, organizations with lax user privilege management or many contributors are at higher risk. The widespread use of WordPress and this plugin means many websites globally could be affected, especially those that do not promptly update or mitigate the vulnerability.

To mitigate CVE-2025-13697, organizations should immediately update the BlockArt Blocks plugin to a version that patches this vulnerability once available. In the absence of an official patch, administrators should restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections targeting the 'timestamp' attribute can provide temporary protection. Additionally, site owners should conduct thorough audits of existing content for injected scripts and remove any malicious code. Enabling Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting the sources from which scripts can be loaded. Regularly reviewing user roles and permissions, enforcing the principle of least privilege, and monitoring logs for unusual activity related to content creation or modification are also recommended. Finally, educating content contributors about secure input practices and potential risks can reduce inadvertent exploitation.