CVE-2025-9075 is a stored cross-site scripting vulnerability identified in the bdthemes ZoloBlocks plugin for WordPress, which provides advanced Gutenberg blocks for content creation. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in several block components, including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into these fields. Because the injected scripts are stored and rendered on pages, any user accessing the compromised page will execute the malicious code in their browser context. This can lead to theft of authentication cookies, unauthorized actions on behalf of users, or defacement of the website. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component. No public exploits are currently known, but the presence of multiple vulnerable input vectors increases the attack surface. The vulnerability was reserved in August 2025 and published in October 2025, with no patch links currently available, indicating that remediation may still be pending. The plugin is widely used in WordPress environments that utilize Gutenberg blocks for dynamic content, making this a relevant threat for many websites.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications running WordPress with the ZoloBlocks plugin. Attackers with contributor-level access can inject persistent malicious scripts, potentially leading to session hijacking, unauthorized data access, or manipulation of website content. This can damage organizational reputation, lead to data breaches involving personal or customer data protected under GDPR, and disrupt business operations. Since the vulnerability does not affect availability directly, denial-of-service impact is low. However, the compromise of user sessions or administrative accounts could escalate to broader system compromise. Organizations with multiple contributors or editors on their WordPress sites are particularly vulnerable. The medium severity rating suggests that while the vulnerability is serious, exploitation requires some level of authenticated access, limiting exposure to external unauthenticated attackers. Nonetheless, insider threats or compromised contributor accounts could be leveraged to exploit this vulnerability. The lack of a current patch increases the urgency for interim mitigations.

1. Immediately audit and restrict contributor-level permissions on WordPress sites using the ZoloBlocks plugin, ensuring only trusted users have such access. 2. Monitor and review content submissions in vulnerable Gutenberg blocks for suspicious or unexpected script content. 3. Deploy a Web Application Firewall (WAF) with rules specifically targeting stored XSS payloads in WordPress environments. 4. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5. Regularly update WordPress core and plugins; once a patch for ZoloBlocks is released, apply it without delay. 6. Consider temporarily disabling or replacing the ZoloBlocks plugin if patching is not immediately possible. 7. Educate content contributors about safe input practices and the risks of injecting scripts. 8. Conduct regular security scans and penetration tests focusing on XSS vulnerabilities in WordPress sites. 9. Use security plugins that provide input sanitization and output escaping enhancements beyond the default plugin capabilities. 10. Maintain detailed logs of user activities to detect potential exploitation attempts.