CVE-2025-9378 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Vayu Blocks – Website Builder for the Block Editor plugin for WordPress, specifically affecting all versions up to and including 1.3.9. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. It occurs in the Lottie block component of the plugin, where multiple attributes fail to properly sanitize and escape user-supplied input. This flaw allows authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute every time a user accesses the compromised page, potentially affecting administrators, editors, and visitors. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector (remote exploitation), low attack complexity, and requiring privileges but no user interaction. The vulnerability impacts confidentiality and integrity by enabling script execution that can hijack sessions, steal sensitive data, or perform unauthorized actions on behalf of users. No patches or official fixes have been published yet, and no known exploits are reported in the wild. The vulnerability is significant because WordPress powers a large portion of the web, and plugins like Vayu Blocks are widely used for building websites with block editors. Attackers exploiting this flaw could compromise websites, deface content, or conduct further attacks such as phishing or malware distribution.

The impact of CVE-2025-9378 is primarily on the confidentiality and integrity of affected websites and their users. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the vulnerable site, which can lead to session hijacking, theft of sensitive information (such as cookies or credentials), unauthorized actions performed with victim user privileges, and defacement or manipulation of website content. Since the vulnerability requires Contributor-level access, it limits exploitation to insiders or users with some level of trust, but many WordPress sites grant such access to multiple users, increasing risk. The stored nature of the XSS means the malicious payload persists and affects all visitors to the compromised pages, potentially amplifying the attack's reach. This can damage organizational reputation, lead to data breaches, and facilitate further attacks like phishing or malware distribution. The absence of known exploits currently reduces immediate risk, but the medium CVSS score and widespread use of the plugin suggest a moderate threat level that should be addressed promptly.

1. Restrict Contributor-level access strictly to trusted users and review user roles regularly to minimize the number of users who can inject content. 2. Implement web application firewalls (WAFs) with rules to detect and block malicious script patterns in user-generated content, especially targeting the Lottie block attributes. 3. Monitor website content for unexpected script injections or anomalies using automated scanning tools specialized in detecting stored XSS. 4. Apply strict input validation and output encoding on all user-supplied data within the plugin, if possible via custom filters or hooks, until an official patch is released. 5. Keep WordPress core and all plugins updated and subscribe to vendor advisories for timely patch deployment once available. 6. Consider temporarily disabling or replacing the Vayu Blocks plugin if the risk is unacceptable and no patch is available. 7. Educate content contributors about the risks of injecting untrusted scripts or HTML and enforce content submission policies. 8. Conduct regular security audits and penetration testing focusing on plugin components that handle user input.