CVE-2025-15021 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Gotham Block Extra Light plugin for WordPress, present in all versions up to and including 1.5.0. The vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient input sanitization and output escaping in the plugin's admin settings interface. This flaw allows an authenticated attacker with administrator-level permissions or higher to inject arbitrary JavaScript code into pages managed by the plugin. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, narrowing the attack surface. The CVSS 3.1 base score is 4.4, reflecting a medium severity level, with an attack vector of network, high attack complexity, requiring high privileges, no user interaction, and a scope change. No public exploits have been reported to date, but the vulnerability poses a risk in environments where multiple administrators manage content. The issue highlights the importance of rigorous input validation and output encoding in WordPress plugins, especially those managing content across multi-site networks.

For European organizations, the impact of this vulnerability can be significant in environments using WordPress multi-site installations with the Gotham Block Extra Light plugin. Exploitation could lead to unauthorized script execution in the context of authenticated users, enabling attackers to steal session cookies, perform actions on behalf of administrators, or inject malicious content that could spread to site visitors. This can compromise confidentiality and integrity of data, potentially leading to data breaches or defacement of websites. Although availability is not directly impacted, reputational damage and loss of user trust can have business consequences. Organizations in sectors such as government, finance, and media, which often use WordPress multi-site setups for managing multiple domains or departments, are particularly at risk. The requirement for administrator-level access limits the threat to insider threats or compromised admin accounts, but once exploited, the scope can extend across the entire multi-site network, amplifying the damage.

1. Immediately review and restrict administrator-level access to trusted personnel only, minimizing the risk of insider threats. 2. Implement strict input validation and output encoding in the admin settings of the Gotham Block Extra Light plugin, or apply custom filters to sanitize inputs if patching is not immediately possible. 3. Monitor multi-site WordPress installations for unusual script injections or unexpected changes in plugin settings. 4. Disable or limit the use of the Gotham Block Extra Light plugin in multi-site environments until a patch or update is available. 5. Enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 6. Regularly audit user permissions and review logs for suspicious administrative activities. 7. Educate administrators on the risks of XSS and the importance of secure plugin management. 8. Stay updated with vendor advisories and apply patches promptly once released.