CVE-2025-62135

Vulnerability

Overview

The Responsive Block Control WordPress plugin versions up to and including 1.3.0 contain a DOM-Based Cross-Site Scripting (XSS) vulnerability [1]. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation

Details

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page [1]. The vulnerability can be triggered by a privileged user (e.g., an administrator) performing an action on the affected plugin's interface [1]. No authentication is needed for the initial injection, but the attack depends on a privileged user executing the malicious payload.

Impact

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads [1]. These scripts execute when other users (including site visitors) access the compromised page, potentially leading to session hijacking, defacement, or phishing attacks [1].

Mitigation

The vendor has released version 1.3.1 which resolves the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update, applying a web application firewall rule or disabling the plugin until patched is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins [1].