The GutenBee – Gutenberg Blocks plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-8566, classified under CWE-79. This vulnerability arises from improper neutralization of input during web page generation, specifically within the CountUp and Google Maps blocks. The root cause is insufficient sanitization and escaping of user-supplied parameters, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious scripts are stored persistently, they execute every time the infected page is accessed by any user, including administrators and visitors. The vulnerability affects all plugin versions up to and including 2.18.0. Exploitation does not require user interaction but does require authentication with at least Contributor privileges. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impacts on confidentiality and integrity with no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of WordPress and GutenBee blocks in content creation.

If exploited, this vulnerability can lead to the execution of arbitrary JavaScript in the context of the affected WordPress site. This can compromise user sessions, steal cookies or credentials, deface websites, or redirect users to malicious sites. Since the vulnerability requires Contributor-level access, attackers may leverage compromised or weak user accounts to inject scripts. The impact extends to site administrators and visitors who access the infected pages, potentially leading to broader compromise of site integrity and user trust. For organizations relying on GutenBee blocks for content, this can result in reputational damage, data leakage, and increased risk of further attacks such as phishing or malware distribution. The medium severity score reflects moderate risk but should not be underestimated given the persistence and scope of stored XSS attacks.

Organizations should immediately update the GutenBee – Gutenberg Blocks plugin to a patched version once released by the vendor. Until a patch is available, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. Implement Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the affected blocks. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. Regularly audit user accounts and monitor site content for suspicious scripts or unexpected changes. Educate site administrators and content editors about the risks of XSS and the importance of input validation. Additionally, consider disabling or removing the vulnerable blocks (CountUp and Google Maps) if they are not essential to reduce the attack surface.