CVE-2025-5678 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress, present in all versions up to and including 3.5.10. The vulnerability stems from improper neutralization of input during web page generation, specifically inadequate sanitization and output escaping of the 'redirectURL' parameter. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising session tokens, redirecting users to malicious sites, or performing actions on behalf of users without their consent. The vulnerability is rated medium severity with a CVSS 3.1 score of 6.4, reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and a scope change. Although no public exploits are known, the risk is significant due to the widespread use of WordPress and the popularity of Kadence plugins. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially those allowing user-generated content. The absence of a patch link suggests that remediation may require vendor action or manual mitigation by administrators.

The impact of CVE-2025-5678 can be substantial for organizations using the affected plugin. Successful exploitation allows attackers with minimal privileges (Contributor-level) to inject persistent malicious scripts into website pages. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Because the injected scripts execute in the context of the victim's browser, they can bypass same-origin policies and compromise user trust. For organizations relying on WordPress for content management, this can result in reputational damage, loss of customer confidence, and potential regulatory consequences if user data is exposed. The vulnerability's requirement for authenticated access limits exposure but does not eliminate risk, especially in environments with many contributors or weak access controls. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially targeted component, increasing potential damage. Overall, the threat is significant for websites with active user contributions and high traffic.

To mitigate CVE-2025-5678, organizations should take several specific actions beyond generic advice: 1) Immediately review and restrict Contributor and higher-level user permissions to trusted personnel only, minimizing the risk of malicious input. 2) Implement strict input validation and sanitization on the 'redirectURL' parameter at the application level, using allowlists or robust escaping functions to neutralize potentially harmful scripts. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. 4) Monitor website content and logs for unusual script injections or changes, enabling early detection of exploitation attempts. 5) If a patch becomes available from the vendor, prioritize its deployment promptly. 6) Consider using Web Application Firewalls (WAFs) with rules targeting known XSS patterns related to this plugin. 7) Educate contributors about secure content practices to reduce inadvertent introduction of malicious code. 8) Regularly audit installed plugins and themes for vulnerabilities and maintain an up-to-date inventory to respond quickly to emerging threats.