WordPress, Stored Cross-Site Scripting (XSS), CVE-2025-1664 (Critical)

By /

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the Parallax slider in all versions up to, and including, 5.3.1. This vulnerability arises due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the compromised page, potentially leading to unauthorized actions, data theft, or session hijacking. The CVSS 4.0 severity score reflects the critical nature of this vulnerability, emphasizing the need for immediate remediation.

DailyCVE Form:

Platform: WordPress
Version: <= 5.3.1
Vulnerability: Stored XSS
Severity: Critical
Date: 03/08/2025

What Undercode Say:

Exploitation Details:

  1. Exploit Vector: An attacker with Contributor-level access injects malicious JavaScript into the Parallax slider component.
  2. Payload Execution: The payload executes when any user views the compromised page.
  3. Impact: Session hijacking, defacement, or unauthorized actions on behalf of the user.

Exploit Code Example:

<script>alert('XSS Exploit');</script>

This payload can be injected into the Parallax slider input field, executing when the page is loaded.

Protection Measures:

  1. Input Sanitization: Ensure all user inputs are sanitized before processing.
  2. Output Escaping: Escape outputs to prevent script execution.
  3. Plugin Update: Update the Essential Blocks plugin to the latest version (if available).

Mitigation Commands:

1. Remove Vulnerable Plugin:

wp plugin delete essential-blocks

2. Install Security Plugin:

wp plugin install wordfence --activate

Analytics:

  • Affected Users: All WordPress sites using Essential Blocks <= 5.3.1.
  • Risk Level: High, due to the potential for widespread exploitation.
  • Remediation Priority: Immediate, given the critical severity.

Additional Code for Protection:

// Sanitize input in WordPress
$clean_input = sanitize_text_field($_POST[bash]);
// Escape output
echo esc_html($clean_input);

Monitoring Commands:

1. Check for Vulnerable Plugins:

wp plugin list --fields=name,version,status

2. Scan for Malware:

wp malware scan

References:

  • bash
  • bash
    By following these steps, users can mitigate the risk posed by CVE-2025-1664 and secure their WordPress installations.

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1664
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top