WordPress Plugin Vulnerabilities

Gutenberg Blocks < 3.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
advanced-gutenberg
Fixed in 3.3.2

References

CVE
CVE-2025-49032
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/30670489-2db2-4c55-b46f-4818f2608ca9

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Prissy
Verified
No
WPVDB ID
0b1f3818-7a37-4bf9-b171-1476dd91a98d

Timeline

Publicly Published
2025-07-01 (about 10 months ago)
Added
2025-07-08 (about 10 months ago)
Last Updated
2025-07-08 (about 10 months ago)

Other

Published
Title
Published
2023-06-15
Title
MasterStudy LMS < 3.0.9 - Contributor+ Stored XSS
Published
2023-09-25
Title
PowerPress Podcasting < 11.0.12 - Contributor+ Stored XSS
Published
2019-07-27
Title
Animate It < 2.3.6 - XSS
Published
2015-06-24
Title
Nextend Facebook Connect < 1.5.6 - Reflected Cross-Site Scripting (XSS)
Published
2019-12-26
Title
WP Accessibility < 1.7.0 - Minor Authenticated Stored XSS in custom CSS