Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through 1.2.8.
AnalysisAI
A reflected cross-site scripting (XSS) vulnerability exists in the ThemeHunk Gutenberg Blocks plugin for WordPress (also known as Unlimited Blocks for Gutenberg), affecting versions up to and including 1.2.8. An attacker can exploit this vulnerability by crafting malicious URLs that execute arbitrary JavaScript in victims' browsers when clicked, potentially leading to session hijacking, credential theft, or malicious actions performed on behalf of authenticated users. The vulnerability was reported by Patchstack's audit team and carries a CVSS score of 7.1, indicating high severity with cross-site scope impact.
Technical ContextAI
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS flaw. The affected product is the ThemeHunk Gutenberg Blocks WordPress plugin (CPE likely cpe:2.3:a:themehunk:gutenberg_blocks based on vendor and product naming). Reflected XSS occurs when user-supplied data is incorporated into web page output without proper validation or encoding, allowing attackers to inject malicious scripts that execute in the victim's browser context. In WordPress plugins, this commonly manifests through insufficiently sanitized GET or POST parameters that are echoed back in admin pages or frontend components. The Gutenberg block editor framework, which this plugin extends, requires careful handling of dynamic content to prevent script injection through block attributes or URL parameters.
RemediationAI
Users should immediately upgrade the ThemeHunk Gutenberg Blocks plugin to a version newer than 1.2.8 if available, checking the WordPress plugin repository or the vendor's official channels for the patched release. Consult the Patchstack vulnerability details at https://patchstack.com/database/wordpress/plugin/unlimited-blocks/vulnerability/wordpress-gutenberg-blocks-unlimited-blocks-for-gutenberg-plugin-1-2-8-reflected-cross-site-scripting-xss-vulnerability for specific patch information and indicators of compromise. Until patching is completed, consider temporarily disabling the plugin if it is not critical to operations, implement web application firewall rules to filter suspicious URL parameters, and educate users about not clicking untrusted links, especially those leading to WordPress admin areas. For defense-in-depth, enforce Content Security Policy headers to restrict inline script execution and enable httpOnly flags on session cookies to limit XSS impact.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13077