WordPress Plugin Vulnerabilities

Gutenberg 21.7 - 21.8 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
gutenberg
Fixed in 21.9.0

References

CVE
CVE-2025-64354
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3e067b10-aa78-4cef-b3fd-b91595c54a37

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
Yes
WPVDB ID
476dae92-b86b-4acc-909d-28992438e404

Timeline

Publicly Published
2025-10-25 (about 6 months ago)
Added
2025-11-03 (about 6 months ago)
Last Updated
2026-05-11 (about 1 day ago)

Other

Published
Title
Published
2024-10-21
Title
BuddyPress Greeting Message <= 1.0.3 - Reflected Cross-Site Scripting
Published
2025-04-01
Title
WordPress Galleria <= 1.4 - Reflected Cross-Site Scripting
Published
2024-10-11
Title
Rescue Shortcodes < 2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-02-13
Title
Happy Addons for Elementor < 3.10.2 - Contributor+ Stored Cross-Site Scripting
Published
2014-08-01
Title
ThinkIT <= 0.2 - wp-admin/admin.php toitcf_current_id Parameter XSS