Overview
A critical security vulnerability, identified as CVE-2025-13697, has been discovered in the BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress. This vulnerability is a Stored Cross-Site Scripting (XSS) flaw that could allow attackers to inject malicious scripts into your WordPress website, potentially compromising user data and site integrity. All versions up to, and including, 2.2.13 are affected. Immediate action is recommended to mitigate this risk.
Technical Details
The vulnerability exists due to insufficient input sanitization and output escaping of the ‘timestamp’ attribute within the BlockArt Blocks plugin. Specifically, an authenticated attacker with Contributor-level access or higher can inject arbitrary web scripts through the plugin’s functionality. This injected script is then stored in the database and executed whenever a user accesses a page containing the injected code.
The attack vector revolves around manipulating the ‘timestamp’ attribute. Without proper sanitization, malicious JavaScript code can be embedded within this attribute. When the affected page is rendered, this injected script will execute in the user’s browser, allowing the attacker to potentially steal cookies, redirect users to malicious websites, or perform other malicious actions.
CVSS Analysis
- CVE ID: CVE-2025-13697
- Severity: MEDIUM
- CVSS Score: 6.4
A CVSS score of 6.4 indicates a Medium severity. While the vulnerability requires authentication (Contributor level or higher), the potential impact of a successful exploit is significant. Compromising user sessions and performing actions on their behalf makes this a serious threat.
Possible Impact
A successful exploitation of this Stored XSS vulnerability can lead to:
- Account Takeover: Attackers can steal user session cookies and gain unauthorized access to administrator accounts.
- Malicious Redirection: Users can be redirected to phishing websites designed to steal credentials or install malware.
- Website Defacement: The website’s content can be altered or defaced, damaging the site’s reputation.
- Data Theft: Sensitive data, such as user information, can be stolen.
- Malware Distribution: The website can be used to distribute malware to visitors.
Mitigation and Patch Steps
The primary mitigation step is to update the BlockArt Blocks plugin to the latest version. The vulnerability has been patched in versions later than 2.2.13.
- Update the Plugin: Navigate to the “Plugins” section in your WordPress dashboard and update the BlockArt Blocks plugin to the latest available version.
- Verify the Update: After updating, ensure that you are running a version higher than 2.2.13.
- Review User Roles: Consider limiting Contributor-level access to trusted users only.
- Implement a Web Application Firewall (WAF): A WAF can provide an additional layer of protection by filtering out malicious requests.
