CVE-2025-5678 is a stored Cross-Site Scripting (XSS) vulnerability identified in the 'Gutenberg Blocks with AI by Kadence WP – Page Builder Features' WordPress plugin, affecting all versions up to and including 3.5.10. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'redirectURL' parameter. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level privileges or higher can inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or further exploitation within the affected WordPress site. The vulnerability has a CVSS v3.1 base score of 6.4, categorized as medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change indicating that the vulnerability can affect components beyond the initially vulnerable plugin. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk given the widespread use of WordPress and the popularity of the Kadence WP plugin suite. The stored nature of the XSS means the malicious payload persists on the server, increasing the risk of repeated exploitation.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress-based websites, which are commonly used for corporate, governmental, and e-commerce portals. The exploitation could result in data theft, including user credentials and personal information, undermining GDPR compliance and potentially causing legal and reputational damage. Additionally, attackers could leverage the vulnerability to perform phishing attacks, deface websites, or pivot to other internal systems if further vulnerabilities exist. Given the Contributor-level access requirement, insider threats or compromised accounts could facilitate exploitation. The scope change in the CVSS vector indicates that the impact could extend beyond the plugin itself, potentially affecting other components or user sessions. This is particularly critical for European organizations that rely heavily on WordPress for public-facing and internal web applications, making them susceptible to service disruption and data breaches.

European organizations should promptly update the 'Gutenberg Blocks with AI by Kadence WP – Page Builder Features' plugin to a patched version once available. Until a patch is released, administrators should restrict Contributor-level access strictly to trusted users and review existing Contributor accounts for suspicious activity. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'redirectURL' parameter can provide temporary protection. Additionally, organizations should conduct thorough input validation and output encoding on all user-supplied data within their WordPress environment, possibly employing security plugins that enhance sanitization. Regular security audits and monitoring for unusual page content changes or script injections are recommended. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Finally, educating content contributors about secure content practices and monitoring for privilege escalation attempts will reduce the risk of exploitation.