CVE-2025-64354

Vulnerability

Overview CVE-2025-64354 is a stored cross-site scripting (XSS) vulnerability in the WordPress Gutenberg plugin, affecting versions from n/a through 21.8.2. The issue stems from improper neutralization of user input during web page generation, allowing attackers to inject arbitrary scripts that are stored on the server and executed when other users visit affected pages [1].

Exploitation

Conditions Exploitation requires an authenticated user with the ability to contribute or edit content, such as a contributor or author role. The attacker crafts a malicious payload that bypasses sanitization, which then gets stored in the database. Successful exploitation depends on the victim (e.g., an administrator or visitor) viewing the compromised page, triggering the injected script [1].

Impact

A successful attack enables the attacker to execute JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The CVSS v3 base score is 6.5 (Medium), indicating moderate severity with potential for widespread impact in automated campaigns [1].

Mitigation

The vulnerability is fixed in version 21.9.0. Users are strongly advised to update immediately. For those unable to update, workarounds may include restricting user roles or employing a web application firewall. The plugin maintainers recommend auto-updates for vulnerable plugins [1].