CVE-2025-54708

The B Blocks plugin for WordPress, versions 2.0.5 and earlier, contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an input validation flaw that allows an attacker to inject arbitrary JavaScript into the DOM of a victim's browser when they interact with a crafted page or link [1].

Exploitation requires user interaction, such as clicking a malicious link or visiting a specially crafted page [1]. The vulnerability can be triggered by any user role, but successful execution depends on a privileged user action [1]. The attack surface is the plugin's front-end rendering, where unsanitized input is reflected in the DOM without proper encoding [1].

An attacker can inject malicious scripts that execute in the victim's browser, leading to actions such as redirects, ad injection, or other HTML payloads that execute when visitors access the site [1]. This could be used to steal session cookies, deface pages, or perform other client-side attacks [1].

The vendor has released version 2.0.6 to address the issue [1]. Users are strongly advised to update immediately or enable auto-updates for vulnerable plugins [1]. If updating is not possible, consult a hosting provider or web developer for mitigation [1].