CVE-2025-23521

The Goodlayers Blocks plugin for WordPress, versions through 1.0.1, fails to properly neutralize user input during web page generation. This is a classic reflected Cross-site Scripting (XSS) vulnerability [1]. The flaw originates from insufficient sanitization of request parameters before they are reflected back in the response, enabling an attacker to inject arbitrary HTML or JavaScript code.

Exploitation requires user interaction, such as clicking a crafted link or visiting a maliciously prepared page. An attacker can initiate the attack without authentication, but a privileged user (e.g., an administrator) must perform the action, potentially through social engineering [1]. The attack is reflected, meaning the payload is not stored on the server but is executed in the victim's browser session.

Successful exploitation can lead to a range of impacts, including arbitrary script execution in the context of the victim's session. This could be used to redirect users to malicious sites, display unauthorized advertisements, or steal sensitive session data [1]. The CVSS v3 base score is 7.1 (High), reflecting the moderate complexity but high potential for harm in widespread campaigns.

A patched version (1.0.3) is available. Users are strongly advised to update immediately. For those unable to update immediately, Patchstack provides a virtual mitigation rule [1]. Given the known exploitation potential, this vulnerability is a candidate for inclusion in CISA's Known Exploited Vulnerabilities catalog.