CVE-2025-15021 is a stored cross-site scripting (XSS) vulnerability identified in the Gotham Block Extra Light plugin for WordPress, affecting all versions up to and including 1.5.0. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of administrator-supplied data within plugin settings. This vulnerability allows an attacker with administrator-level permissions to inject arbitrary JavaScript code into pages generated by the plugin. The malicious script executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability is constrained to multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting the attack surface. Exploitation requires authenticated access with high privileges, no user interaction is needed beyond visiting the infected page, and the vulnerability affects confidentiality and integrity but not availability. The CVSS v3.1 score is 4.4 (medium severity), reflecting the high attack complexity and required privileges. No public exploits have been reported yet. The vulnerability was reserved in late 2025 and published in early 2026. Due to the nature of WordPress multi-site environments and the plugin's usage, this vulnerability poses a moderate risk to affected organizations.

The primary impact of CVE-2025-15021 is the potential compromise of confidentiality and integrity within affected WordPress multi-site installations using the Gotham Block Extra Light plugin. An attacker with administrator-level access can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of users. Although availability is not directly affected, the injected scripts could be used to deface websites or disrupt user experience. The requirement for high privileges limits the risk to insider threats or attackers who have already compromised an administrator account. Organizations relying on multi-site WordPress deployments with this plugin are at risk of internal compromise and lateral movement. The vulnerability could also be leveraged in targeted attacks against organizations with high-value WordPress sites, especially those disabling unfiltered_html for security reasons. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

1. Apply patches or updates from the Gothamdev vendor as soon as they become available to address this vulnerability. 2. Until patches are released, restrict administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. For multi-site WordPress installations, review and limit the use of the Gotham Block Extra Light plugin or disable it if not essential. 4. Implement additional input validation and output encoding controls at the application or web server level to mitigate injection of malicious scripts. 5. Monitor administrative settings and plugin configurations for unauthorized changes that could indicate exploitation attempts. 6. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and multi-site configurations. 7. Educate administrators about the risks of stored XSS and the importance of careful input handling. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting this plugin. 9. Review and adjust the unfiltered_html capability settings carefully, balancing security and functionality needs. 10. Maintain comprehensive logging and alerting to detect potential exploitation attempts promptly.