Skip to main content

ThemeHunk Gutenberg Blocks EUVDEUVD-2026-13077

| CVE-2026-25438 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-19 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
EUVD ID Assigned
Mar 19, 2026 - 09:22 euvd
EUVD-2026-13077
Analysis Generated
Mar 19, 2026 - 09:22 vuln.today
CVE Published
Mar 19, 2026 - 09:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through 1.2.8.

AnalysisAI

A reflected cross-site scripting (XSS) vulnerability exists in the ThemeHunk Gutenberg Blocks plugin for WordPress (also known as Unlimited Blocks for Gutenberg), affecting versions up to and including 1.2.8. An attacker can exploit this vulnerability by crafting malicious URLs that execute arbitrary JavaScript in victims' browsers when clicked, potentially leading to session hijacking, credential theft, or malicious actions performed on behalf of authenticated users. The vulnerability was reported by Patchstack's audit team and carries a CVSS score of 7.1, indicating high severity with cross-site scope impact.

Technical ContextAI

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS flaw. The affected product is the ThemeHunk Gutenberg Blocks WordPress plugin (CPE likely cpe:2.3:a:themehunk:gutenberg_blocks based on vendor and product naming). Reflected XSS occurs when user-supplied data is incorporated into web page output without proper validation or encoding, allowing attackers to inject malicious scripts that execute in the victim's browser context. In WordPress plugins, this commonly manifests through insufficiently sanitized GET or POST parameters that are echoed back in admin pages or frontend components. The Gutenberg block editor framework, which this plugin extends, requires careful handling of dynamic content to prevent script injection through block attributes or URL parameters.

RemediationAI

Users should immediately upgrade the ThemeHunk Gutenberg Blocks plugin to a version newer than 1.2.8 if available, checking the WordPress plugin repository or the vendor's official channels for the patched release. Consult the Patchstack vulnerability details at https://patchstack.com/database/wordpress/plugin/unlimited-blocks/vulnerability/wordpress-gutenberg-blocks-unlimited-blocks-for-gutenberg-plugin-1-2-8-reflected-cross-site-scripting-xss-vulnerability for specific patch information and indicators of compromise. Until patching is completed, consider temporarily disabling the plugin if it is not critical to operations, implement web application firewall rules to filter suspicious URL parameters, and educate users about not clicking untrusted links, especially those leading to WordPress admin areas. For defense-in-depth, enforce Content Security Policy headers to restrict inline script execution and enable httpOnly flags on session cookies to limit XSS impact.

Share

EUVD-2026-13077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy