CVE-2025-2918 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Ultimate Blocks – WordPress Blocks Plugin, a popular plugin used to add blocks to WordPress sites. The vulnerability exists in all versions up to and including 3.3.3 due to improper neutralization of input during web page generation. Specifically, multiple widgets within the plugin fail to adequately sanitize and escape user-supplied input before rendering it on web pages. This flaw allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the infected page and does not require elevated privileges beyond Contributor access, which is commonly granted to content creators. The CVSS v3.1 score of 6.4 reflects a medium severity, with an attack vector of network, low attack complexity, privileges required, no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially compromised privilege boundary. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and the plugin’s popularity. The lack of available patches at the time of reporting necessitates immediate attention from site administrators to implement workarounds or restrict Contributor permissions until a fix is released.

The impact of CVE-2025-2918 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, enabling theft of session cookies, user credentials, or other sensitive information accessible via the browser. This can lead to account takeover, unauthorized actions on the site, defacement, or distribution of malware. Since the vulnerability is stored XSS, the malicious payload persists on the site, affecting all visitors to the compromised pages. The requirement for Contributor-level access limits the attack surface but does not eliminate risk, as many sites grant such permissions to multiple users or external contributors. The scope change in the CVSS vector indicates that the attack can impact components beyond the initial user privileges, potentially escalating the damage. Organizations relying on this plugin for content management or marketing may face reputational damage, data breaches, and compliance issues if exploited. The absence of known exploits in the wild reduces immediate risk but does not preclude future attacks, especially as proof-of-concept code may emerge.

1. Immediately review and restrict Contributor-level access to trusted users only, minimizing the number of users who can inject content. 2. Monitor all user-generated content in the affected widgets for suspicious or unexpected scripts and remove any malicious code found. 3. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the plugin’s widgets. 4. Disable or remove the Ultimate Blocks plugin temporarily if feasible until a security patch is released. 5. Encourage the plugin vendor to release a patch and apply it promptly once available. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS. 8. Regularly audit WordPress plugins for vulnerabilities and keep all software updated to minimize exposure. 9. Use security plugins that can scan for and alert on suspicious content injections. 10. Backup site data frequently to enable quick restoration in case of compromise.