CVE-2025-8624 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Nexa Blocks plugin for WordPress, specifically versions up to and including 1.1.0. This plugin is used as a page builder for the Gutenberg editor and Full Site Editing (FSE) in WordPress. The vulnerability arises from insufficient input sanitization and output escaping in the plugin's Google Maps widget, which allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently in the page content, it executes whenever any user accesses the compromised page. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (contributor or higher), no user interaction, and scope change. The impact includes partial loss of confidentiality and integrity, as attackers can execute scripts in the context of other users, potentially stealing session tokens, defacing content, or performing actions on behalf of users. There are no known public exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability affects all versions of the Nexa Blocks plugin up to 1.1.0, which is widely used in WordPress sites employing Gutenberg blocks for page building.

For European organizations, this vulnerability poses a significant risk especially to those using WordPress sites with the Nexa Blocks plugin. The ability for authenticated contributors to inject persistent scripts can lead to data theft, session hijacking, and unauthorized actions within the site, potentially compromising user data and organizational reputation. Given the widespread use of WordPress in Europe for corporate, governmental, and e-commerce websites, exploitation could disrupt business operations and lead to regulatory non-compliance under GDPR if personal data is exposed. The scope of impact is heightened in organizations that allow multiple contributors or editors with contributor-level access, as these users could be targeted or compromised to exploit the vulnerability. Additionally, the stored nature of the XSS means that all visitors to the infected pages are at risk, amplifying the potential damage. While no active exploits are known, the medium severity and ease of exploitation (low complexity, no user interaction) suggest that attackers could develop exploits quickly once the vulnerability is publicly known.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations for the presence of the Nexa Blocks plugin and verify the version in use. Until an official patch is released, organizations should restrict contributor-level access to trusted users only and consider temporarily disabling or removing the Google Maps widget functionality within the plugin. Implementing Web Application Firewall (WAF) rules that detect and block suspicious script injection attempts targeting the plugin's widget parameters can provide interim protection. Additionally, organizations should enforce strict content security policies (CSP) to limit the execution of unauthorized scripts. Regular monitoring of website content for unexpected script injections and user activity logs for unusual contributor behavior is recommended. Once a patch is available, prompt application of updates is critical. Finally, educating contributors about safe content practices and the risks of injecting untrusted code can reduce exploitation likelihood.