CVE-2025-68605

MEDIUM
2025-12-24 [email protected]
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
MEDIUM 5.4

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.23.

Analysis

Stored XSS in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions <= 2.3.23) allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user data. The vulnerability requires user interaction (viewing a page with the injected content) and affects the site's security context (SameSite:Changed per CVSS:3.1/S:C). EPSS score of 0.04% indicates low real-world exploitation probability despite CVE publication.

Technical Context

The vulnerability exists in the Post Grid and Gutenberg Blocks plugin for WordPress, a plugin that provides block-based page building functionality for displaying post grids. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), which means user-supplied input is not adequately sanitized or escaped before being rendered in HTML/JavaScript context on web pages. WordPress plugins that integrate with the Gutenberg editor must properly escape all user inputs through WordPress sanitization (sanitize_*) and escaping (esc_*) functions; failure to do so allows authenticated users to store malicious JavaScript payloads in the database that execute when the page is viewed by other users or administrators.

Affected Products

PickPlugins Post Grid and Gutenberg Blocks WordPress plugin versions from unspecified baseline through and including version 2.3.23. The vulnerability is identified via Patchstack ([email protected]) and documented at https://patchstack.com/database/Wordpress/Plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-18-cross-site-scripting-xss-vulnerability. CPE designation for WordPress plugins typically follows wp:post-grid or similar; site administrators should consult the WordPress plugin directory and Patchstack advisory for the exact affected version range and patch availability.

Remediation

Update PickPlugins Post Grid and Gutenberg Blocks plugin to a version newer than 2.3.23 (consult the plugin's official repository or Patchstack advisory for the specific patched version). The remediation should involve upgrading through WordPress admin dashboard (Plugins > Updates) once a patched release is available. Site administrators should verify the fix in the plugin's changelog and test the update in a staging environment before deploying to production. In the interim, restrict user roles that can edit posts and blocks to trusted administrators only, and monitor for suspicious content in post grid configurations. For additional information and patch availability, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-18-cross-site-scripting-xss-vulnerability.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

CVE-2025-68605 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy