The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Dotcamp
  • Ultimate Blocks

Configuration 1 [-]

cpe:2.3:a:dotcamp:ultimate_blocks:*:*:*:*:*:wordpress:*:*

No data.

References
Link Providers
https://plugins.trac.wordpress.org/browser/ultimate-blocks/tags/3.2.9/src/blocks/content-filter/block.php#L14 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ultimate-blocks/tags/3.2.9/src/blocks/content-toggle/block.php#L133 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ultimate-blocks/tags/3.2.9/src/blocks/how-to/block.php#L335 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/ultimate-blocks/tags/3.2.9/src/blocks/tabbed-content/block.php#L136 cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/41b2a4cc-fb23-41eb-b1a4-d793ae924d9a?source=cve cve-icon cve-icon
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00042}

 epss

{'score': 0.00039}

Mon, 14 Jul 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Dotcamp
Dotcamp ultimate Blocks
CPEs cpe:2.3:a:dotcamp:ultimate_blocks:*:*:*:*:*:wordpress:*:*
Vendors & Products Dotcamp
Dotcamp ultimate Blocks

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00036}

 epss

{'score': 0.00042}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Jun 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Ultimate Blocks – WordPress Blocks Plugin <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-06-10T11:22:52.173Z

Updated: 2025-06-10T13:59:37.592Z

Reserved: 2025-03-28T11:40:22.930Z

Link: CVE-2025-2918

cve-icon Vulnrichment

Updated: 2025-06-10T13:59:29.501Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-10T12:15:23.867

Modified: 2025-07-14T17:25:14.030

Link: CVE-2025-2918

cve-icon Redhat

No data.