CVE-2025-6572 is a stored Cross-Site Scripting (XSS) vulnerability identified in the OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) WordPress plugin, up to version 1.2.0. This vulnerability arises because the plugin fails to properly validate and escape certain block options before rendering them on pages or posts where the block is embedded. Specifically, users with the contributor role or higher can inject malicious scripts that get stored and later executed in the context of site visitors or administrators viewing the affected content. Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists on the server and can affect multiple users without requiring repeated user interaction. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The lack of input sanitization or output escaping in the plugin's block options allows attackers to embed arbitrary JavaScript code, potentially leading to session hijacking, privilege escalation, defacement, or redirection to malicious sites. Although no known exploits are reported in the wild at this time, the vulnerability is publicly disclosed and unpatched, increasing the risk of exploitation. The absence of a CVSS score indicates that the vulnerability has not yet been formally assessed for severity, but the technical details confirm that it is a stored XSS affecting a widely used WordPress plugin component. Given that WordPress powers a significant portion of websites globally, and these page builders are popular tools for content creation, the vulnerability presents a credible threat vector for attackers targeting WordPress sites that use these plugins.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress websites for business operations, customer engagement, or internal communications. Exploitation could lead to unauthorized script execution in the browsers of site visitors or administrators, resulting in theft of authentication credentials, session tokens, or sensitive data. This could facilitate further compromise of the website or connected systems. Additionally, attackers could deface websites, damaging brand reputation and customer trust. In regulated industries such as finance, healthcare, or e-commerce, such breaches could lead to violations of GDPR and other data protection regulations, resulting in legal penalties and financial losses. Since contributors (a relatively low privilege role) can exploit this vulnerability, insider threats or compromised contributor accounts could be leveraged to inject malicious code. The stored nature of the XSS means that once injected, the malicious payload can affect all users viewing the infected content, amplifying the potential damage. The vulnerability also poses risks to the integrity and availability of web content, as attackers could manipulate displayed information or disrupt normal website functionality.

European organizations should take immediate steps to mitigate this vulnerability beyond generic patching advice. First, audit all WordPress sites using OpenStreetMap for Gutenberg and WPBakery Page Builder plugins to identify affected versions. Since no patch is currently available, temporarily disable or remove the vulnerable plugin or restrict block usage to trusted administrators only. Implement strict role-based access controls to limit contributor privileges and monitor contributor activities for suspicious behavior. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting the vulnerable block options. Sanitize and validate all user-generated content before publishing, using additional security plugins that enforce input filtering. Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies. Regularly back up website data to enable quick restoration in case of compromise. Monitor website logs and user reports for signs of XSS exploitation or unusual activity. Finally, stay updated with vendor advisories for patches or updates addressing this vulnerability and apply them promptly once released.