{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25438", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:40.963Z", "datePublished": "2026-03-19T08:34:38.200Z", "dateUpdated": "2026-03-19T13:59:59.886Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:34:38.200Z"}, "title": "WordPress Gutenberg Blocks \u2013 Unlimited blocks For Gutenberg plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "affected": [{"vendor": "ThemeHunk", "product": "Gutenberg Blocks", "collectionURL": "https://wordpress.org/plugins", "packageName": "unlimited-blocks", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "1.2.8", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through 1.2.8.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.<p>This issue affects Gutenberg Blocks: from n/a through 1.2.8.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/unlimited-blocks/vulnerability/wordpress-gutenberg-blocks-unlimited-blocks-for-gutenberg-plugin-1-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"}}], "credits": [{"lang": "en", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:59:02.626869Z", "id": "CVE-2026-25438", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:59:59.886Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25438", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:59:02.626869Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:59:35.991Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Gutenberg Blocks \u2013 Unlimited blocks For Gutenberg plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeHunk", "product": "Gutenberg Blocks", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.2.8"}], "packageName": "unlimited-blocks", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/unlimited-blocks/vulnerability/wordpress-gutenberg-blocks-unlimited-blocks-for-gutenberg-plugin-1-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through 1.2.8.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.<p>This issue affects Gutenberg Blocks: from n/a through 1.2.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:34:38.200Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25438", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:59:59.886Z", "dateReserved": "2026-02-02T12:53:40.963Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:34:38.200Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through 1.2.8."}], "id": "CVE-2026-25438", "lastModified": "2026-03-19T13:25:00.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:17.113", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/unlimited-blocks/vulnerability/wordpress-gutenberg-blocks-unlimited-blocks-for-gutenberg-plugin-1-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Gutenberg Blocks", "source": "cna", "vendor": "ThemeHunk"}, "product": "gutenberg_blocks", "vendor": "themehunk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T09:21:57.971235+00:00", "value": {"mitigation_remediation": ["Apply the latest available patch for the Gutenberg Blocks plugin (version 1.2.9 or newer).", "If a patch is not immediately available, restrict access to the plugin\u2019s administrative interfaces and block any suspicious URLs from being processed."], "summary": {"action": "Immediate Patch", "impact": "Reflected Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The flaw exists in the WordPress plugin ThemeHunk Gutenberg Blocks. All installations of the plugin up to\u2014and including\u2014version 1.2.8 are affected. No specific WordPress core version restrictions are listed. Anyone using v1.2.8 or earlier should consider this risky.", "description_and_impact": "This vulnerability arises from improper neutralization of user input during rendering in the Gutenberg Blocks plugin, allowing attackers to inject malicious scripts that are reflected back to the browser. A successful exploit could lead to execution of arbitrary client\u2011side code, potentially enabling credential theft, defacement, or redirection. The weakness is a classic reflected XSS issue, classified as CWE\u201179. The impact is limited to the browsing session of users who visit a crafted URL, but can be leveraged by an attacker who can lure victims through phishing or other social engineering. The vulnerability does not appear to provide direct access to server\u2011side code or data beyond the local session context.", "risk_and_exploitability": "The CVSS score is 7.1, indicating a medium\u2011to\u2011high severity. The EPSS score is not available, so the reported exploit probability cannot be quantified here. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit it remotely by crafting a URL containing malicious JavaScript that the plugin reflects into the page. Successful exploitation requires that a victim (or an attacker with access to the admin area) visit the crafted URL. The attack does not require local privileges or administrative access to the server, but does require that the plugin is running on the target WordPress installation."}}}}, "created": "2026-03-20T08:57:05.760889+00:00", "updated": "2026-03-20T14:15:21.543023+00:00", "vendors": ["themehunk", "themehunk$PRODUCT$gutenberg_blocks", "wordpress", "wordpress$PRODUCT$wordpress"]}