Skip to main content

PickPlugins Post Grid CVE-2025-68605

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-24 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.4 (MEDIUM) 6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
MEDIUM 5.4

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.23.

AnalysisAI

Stored XSS in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions <= 2.3.23) allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user data. The vulnerability requires user interaction (viewing a page with the injected content) and affects the site's security context (SameSite:Changed per CVSS:3.1/S:C). EPSS score of 0.04% indicates low real-world exploitation probability despite CVE publication.

Technical ContextAI

The vulnerability exists in the Post Grid and Gutenberg Blocks plugin for WordPress, a plugin that provides block-based page building functionality for displaying post grids. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), which means user-supplied input is not adequately sanitized or escaped before being rendered in HTML/JavaScript context on web pages. WordPress plugins that integrate with the Gutenberg editor must properly escape all user inputs through WordPress sanitization (sanitize_*) and escaping (esc_*) functions; failure to do so allows authenticated users to store malicious JavaScript payloads in the database that execute when the page is viewed by other users or administrators.

Affected ProductsAI

PickPlugins Post Grid and Gutenberg Blocks WordPress plugin versions from unspecified baseline through and including version 2.3.23. The vulnerability is identified via Patchstack (audit@patchstack.com) and documented at https://patchstack.com/database/Wordpress/Plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-18-cross-site-scripting-xss-vulnerability. CPE designation for WordPress plugins typically follows wp:post-grid or similar; site administrators should consult the WordPress plugin directory and Patchstack advisory for the exact affected version range and patch availability.

RemediationAI

Update PickPlugins Post Grid and Gutenberg Blocks plugin to a version newer than 2.3.23 (consult the plugin's official repository or Patchstack advisory for the specific patched version). The remediation should involve upgrading through WordPress admin dashboard (Plugins > Updates) once a patched release is available. Site administrators should verify the fix in the plugin's changelog and test the update in a staging environment before deploying to production. In the interim, restrict user roles that can edit posts and blocks to trusted administrators only, and monitor for suspicious content in post grid configurations. For additional information and patch availability, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-18-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-68605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy