CVE-2025-13697 identifies a stored Cross-Site Scripting (XSS) vulnerability in the BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks, WordPress Block Plugin, Sections & Template Library plugin for WordPress. The vulnerability exists in all versions up to and including 2.2.13 due to insufficient sanitization and escaping of the 'timestamp' attribute input. Authenticated attackers with Contributor-level privileges or higher can inject arbitrary JavaScript code that is stored persistently within the plugin's data. When other users access pages containing the injected content, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability does not require user interaction beyond page access, but does require authenticated access, limiting the attacker to users with some level of site privileges. The CVSS 3.1 score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and partial confidentiality and integrity impact, but no availability impact. No known exploits are currently reported in the wild. The root cause is improper neutralization of input during web page generation, classified under CWE-79. The vulnerability affects a widely used WordPress plugin that provides block and page builder functionality, commonly used in content-rich websites. The lack of a patch at the time of reporting necessitates interim mitigations to reduce risk.

For European organizations, this vulnerability poses a significant risk to websites using the BlockArt Blocks plugin, especially those with multiple content contributors such as media companies, e-commerce platforms, and corporate sites. Exploitation can lead to unauthorized script execution, enabling attackers to hijack user sessions, steal credentials, deface websites, or perform actions on behalf of legitimate users. This can damage organizational reputation, lead to data breaches, and disrupt business operations. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts increase risk. The persistent nature of stored XSS means that once injected, malicious scripts can affect all users visiting the compromised pages, amplifying potential damage. Given the widespread use of WordPress in Europe and the popularity of page builder plugins, the threat surface is considerable. Organizations in regulated sectors may face compliance issues if customer data is exposed or integrity is compromised. The medium severity rating suggests that while the vulnerability is serious, it is not trivially exploitable by unauthenticated attackers, somewhat limiting its impact scope.

Immediate mitigation steps include restricting Contributor-level access to trusted users only and monitoring for suspicious content or script injections in pages using the plugin. Organizations should implement Web Application Firewall (WAF) rules to detect and block malicious script payloads targeting the 'timestamp' attribute or related plugin endpoints. Applying strict Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Until an official patch is released, consider disabling or removing the vulnerable plugin if feasible. Regularly audit user roles and permissions to minimize the number of users with contributor or higher privileges. Employ security plugins that scan for XSS payloads and anomalous content changes. Once a patch is available, promptly update the plugin to the fixed version. Additionally, educate content contributors about safe input practices and the risks of injecting untrusted content. Logging and alerting on unusual content modifications can provide early detection of exploitation attempts.