CVE-2025-62135
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in landwire Responsive Block Control responsive-block-control allows DOM-Based XSS.This issue affects Responsive Block Control: from n/a through <= 1.3.0.
Analysis
DOM-based cross-site scripting (XSS) vulnerability in the Responsive Block Control WordPress plugin through version 1.3.0 allows attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction with a malicious link or form, but once triggered, the vulnerability enables session hijacking, credential theft, or defacement. The vulnerability has an exceptionally low EPSS score (0.01th percentile) suggesting minimal real-world exploitation likelihood despite public disclosure.
Technical Context
This is a DOM-based XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) affecting the Responsive Block Control WordPress plugin. DOM-based XSS occurs when untrusted user input is directly inserted into the Document Object Model without proper sanitization or encoding, allowing an attacker's JavaScript to execute in the context of the victim's browser session. The plugin fails to neutralize user-supplied input before using it to dynamically generate web page content, creating an attack surface accessible through browser-based manipulation. WordPress plugins operating in the wp-admin or frontend contexts that handle block configuration or rendering are particularly susceptible if they do not implement consistent input validation and output encoding.
Affected Products
Responsive Block Control WordPress plugin versions from an unspecified baseline through version 1.3.0. The plugin is distributed through the official WordPress plugin repository. The vulnerability affects all installations using version 1.3.0 or earlier. WordPress site administrators and users with access to the plugin's functionality are the primary affected population.
Remediation
Update Responsive Block Control to a patched version released after 1.3.0 immediately. Site administrators should navigate to Plugins > Installed Plugins in WordPress wp-admin, locate Responsive Block Control, and click Update if available. If no update is immediately available, disable the plugin temporarily until the vendor releases a patched version that properly sanitizes and validates input before rendering to the DOM. Refer to the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/responsive-block-control/vulnerability/wordpress-responsive-block-control-plugin-1-2-9-cross-site-scripting-xss-vulnerability for confirmation of patch availability and detailed remediation steps. Ensure WordPress and all other plugins remain current to maintain defense-in-depth against XSS attacks.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today