CVE-2025-9075 is a stored cross-site scripting vulnerability classified under CWE-79, found in the bdthemes ZoloBlocks plugin for WordPress, which provides advanced Gutenberg blocks for content creation. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input in several block components, such as Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. These flaws allow authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages or posts. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability affects all versions up to and including 2.3.10 of the plugin. The CVSS 3.1 score of 6.4 reflects a medium severity rating, with an attack vector over the network, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially compromised component. No public exploits have been reported yet, but the presence of multiple injection points increases the risk of exploitation. The vulnerability highlights the importance of rigorous input validation and output encoding in WordPress plugins, especially those that handle complex user-generated content in Gutenberg blocks.

The impact of this vulnerability is primarily on the confidentiality and integrity of affected WordPress sites. Exploitation allows attackers with contributor-level access to inject persistent malicious scripts that execute in the browsers of users viewing the infected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of other users, and potential defacement or redirection attacks. While availability is not directly affected, the indirect consequences such as reputational damage, loss of user trust, and potential regulatory penalties can be significant. Organizations relying on the ZoloBlocks plugin for content management are at risk of targeted attacks, especially if they have multiple contributors or editors with elevated privileges. The vulnerability could be leveraged in multi-tenant hosting environments or sites with high traffic to amplify the impact. Given WordPress’s widespread use globally, the potential scale of affected sites is large, increasing the overall risk landscape.

To mitigate this vulnerability, organizations should immediately update the ZoloBlocks plugin to a version that addresses the issue once available. In the absence of an official patch, administrators should restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the affected block attributes can provide temporary protection. Site owners should audit existing content for suspicious scripts injected via the vulnerable blocks and remove any malicious code. Additionally, applying Content Security Policy (CSP) headers can help reduce the impact of injected scripts by restricting the sources from which scripts can be loaded. Developers maintaining custom Gutenberg blocks should review their input sanitization and output escaping practices to prevent similar issues. Regular security scanning and monitoring for unusual activity related to content editing are also recommended.