CVE-2025-9075 is a stored Cross-Site Scripting (XSS) vulnerability affecting the ZoloBlocks plugin for WordPress, specifically versions up to and including 2.3.10. ZoloBlocks is a Gutenberg block editor plugin that provides advanced blocks, dynamic content, templates, and patterns for WordPress sites. The vulnerability arises from improper neutralization of user-supplied input during web page generation (CWE-79). Multiple Gutenberg blocks within the plugin, including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields, fail to sufficiently sanitize and escape input. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious scripts are stored in the content, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low complexity, and privileges at the contributor level, but does not require user interaction. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the confidentiality and integrity of user data on affected sites. No known exploits are currently reported in the wild, and no official patches have been linked yet, emphasizing the need for vigilance and proactive mitigation by site administrators.

For European organizations, this vulnerability poses a significant risk to websites using WordPress with the ZoloBlocks plugin, particularly those that allow contributor-level users to add or edit content. Exploitation could lead to unauthorized script execution, enabling attackers to steal session cookies, deface websites, inject malicious redirects, or perform actions on behalf of legitimate users. This can damage organizational reputation, lead to data breaches involving personal data protected under GDPR, and disrupt business operations. Since WordPress is widely used across Europe for corporate, governmental, and e-commerce sites, the impact could be broad. The vulnerability's ability to affect multiple block components increases the attack surface. Additionally, the stored nature of the XSS means that even users with no special privileges visiting the infected pages may be affected, amplifying the risk. Organizations handling sensitive or regulated data must be particularly cautious, as exploitation could lead to regulatory penalties and loss of customer trust.

Beyond generic advice, European organizations should: 1) Immediately audit their WordPress installations to identify the presence and version of the ZoloBlocks plugin. 2) Restrict contributor-level permissions to trusted users only and review user roles to minimize unnecessary privileges. 3) Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting known vulnerable block attributes. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5) Monitor website content for unexpected script injections or anomalies in block data attributes. 6) Engage with the plugin vendor or community to obtain patches or updates as soon as they become available and apply them promptly. 7) Consider temporarily disabling or removing the plugin if immediate patching is not possible. 8) Educate content contributors about safe content practices and the risks of injecting untrusted code. 9) Use security plugins that scan for XSS vulnerabilities and malicious content injections regularly.