CVE-2025-6572

Vulnerability

Analysis

The OpenStreetMap for Gutenberg and WPBakery Page Builder plugin (versions up to and including 1.2.0) fails to validate and escape certain block options before outputting them within a post or page where the block is embedded [1]. This lack of sanitization means that when a block option value is used in a rendered page, no filtering or encoding is applied, allowing arbitrary HTML and JavaScript to be inserted.

Exploitation

A user with at least the Contributor role can exploit this vulnerability by crafting a malicious block option value. Since Contributors typically do not have unfiltered_html capabilities, the exploit relies on the plugin not escaping the output, bypassing the usual WordPress content filtering for that role. The attack is stored, meaning the payload is saved in the database and executed automatically whenever the page is viewed by any visitor.

Impact

An attacker who successfully executes a stored XSS attack can perform a range of actions in the context of the victim's session, such as stealing cookies, redirecting users to malicious sites, or performing actions on behalf of the victim (e.g., creating new admin accounts if a site administrator views the page). The CVSS score of 5.9 reflects a medium severity due to the need for contributor-level access and user interaction.

Mitigation

As of the advisory's publication date (July 2025), no fix was available for this plugin, and users were advised to apply WordPress security best practices such as limiting contributor roles and using a Web Application Firewall [1]. It is recommended to disable or remove the plugin until a patched version is released.