CVE-2025-9378 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Vayu Blocks – Website Builder for the Block Editor plugin for WordPress, developed by themehunk. This vulnerability affects all versions up to and including 1.3.9. The root cause is improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in multiple attributes of the Lottie block. An authenticated attacker with Contributor-level access or higher can exploit this flaw to inject arbitrary malicious scripts into pages. These scripts execute in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to a Contributor role, and no user interaction is needed for exploitation once the malicious content is injected. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the broader WordPress environment. No known exploits are currently reported in the wild, and no patches or updates have been linked yet. This vulnerability falls under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using WordPress websites with the Vayu Blocks plugin, this vulnerability poses a significant risk to website integrity and user trust. Exploitation could allow attackers to execute malicious scripts in the browsers of site visitors or administrators, leading to theft of authentication cookies, defacement, or unauthorized administrative actions. This can result in data breaches, reputational damage, and potential regulatory non-compliance under GDPR if personal data is compromised. Since Contributor-level access is required, insider threats or compromised contributor accounts increase risk. The medium severity score reflects that while the vulnerability does not directly cause system downtime or data destruction, it can facilitate further attacks and data leakage. Organizations relying on this plugin for customer-facing or internal sites should consider the risk of persistent XSS attacks that can undermine website security and user confidence.

1. Immediate mitigation should include restricting Contributor-level access to trusted users only and auditing existing contributor accounts for suspicious activity. 2. Disable or remove the Vayu Blocks plugin if it is not essential to reduce the attack surface. 3. Monitor website content for unauthorized script injections, especially in pages using the Lottie block. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the vulnerable attributes. 5. Regularly update the plugin once a patch is released by themehunk; in the meantime, consider applying custom input sanitization or output escaping filters in WordPress to neutralize script tags or suspicious inputs in the Lottie block attributes. 6. Educate content contributors about secure content practices and the risks of embedding untrusted code. 7. Conduct periodic security scans focusing on XSS vulnerabilities and review logs for anomalous behavior related to content editing.