Cozy Blocks < 2.1.30 – Unauthenticated Arbitrary Shortcode Execution | CVE 2025-59573 | Plugin Vulnerabilities

Description

The The Cozy Blocks – All-in-One Page Builder Blocks for Gutenberg and Full Site Editing (FSE) plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.1.29. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

Fixed in 2.1.30

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4d9ef3ab-fdba-4f9c-9323-0731a8d9db54

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

0xd4rk5id3

Verified

No

WPVDB ID

5080baeb-a3ab-4cab-b0f2-a0bac9859ffd

Timeline

Publicly Published

2025-09-22 (about 7 months ago)

Added

2025-09-26 (about 7 months ago)

Last Updated

2025-09-26 (about 7 months ago)

Other

Published

Title

Published

2025-10-25

Title

HAPPY < 1.0.8 - Unauthenticated Remote Code Execution

Published

2024-09-13

Title

FOX – Currency Switcher Professional for WooCommerce < 1.4.2.2 - Unauthenticated Arbitrary Shortcode Execution

Published

2017-11-11

Title

WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution (RCE)

Published

2014-08-01

Title

DZS Video Gallery - ajax.php source Parameter Reflected XSS

Published

2025-05-16

Title

RS WP Book Showcase <= 6.7.57 - Unauthenticated Arbitrary Shortcode Execution