{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25438", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:40.963Z", "datePublished": "2026-03-19T08:34:38.200Z", "dateUpdated": "2026-04-28T16:14:59.207Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "unlimited-blocks", "product": "Gutenberg Blocks", "vendor": "ThemeHunk", "versions": [{"lessThanOrEqual": "1.2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:05.187Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks allows Reflected XSS.<p>This issue affects Gutenberg Blocks: from n/a through <= 1.2.8.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through <= 1.2.8."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.207Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/unlimited-blocks/vulnerability/wordpress-gutenberg-blocks-unlimited-blocks-for-gutenberg-plugin-1-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Gutenberg Blocks \u2013 Unlimited blocks For Gutenberg plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T13:59:02.626869Z", "id": "CVE-2026-25438", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:59:59.886Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25438", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T13:59:02.626869Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T13:59:35.991Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Gutenberg Blocks \u2013 Unlimited blocks For Gutenberg plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeHunk", "product": "Gutenberg Blocks", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.2.8"}], "packageName": "unlimited-blocks", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/unlimited-blocks/vulnerability/wordpress-gutenberg-blocks-unlimited-blocks-for-gutenberg-plugin-1-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through 1.2.8.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks allows Reflected XSS.<p>This issue affects Gutenberg Blocks: from n/a through 1.2.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T08:34:38.200Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25438", "state": "PUBLISHED", "dateUpdated": "2026-03-19T13:59:59.886Z", "dateReserved": "2026-02-02T12:53:40.963Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T08:34:38.200Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through <= 1.2.8."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en ThemeHunk Gutenberg Blocks permite XSS Reflejado. Este problema afecta a Gutenberg Blocks: desde n/d hasta 1.2.8."}], "id": "CVE-2026-25438", "lastModified": "2026-04-23T15:37:09.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T09:16:17.113", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/unlimited-blocks/vulnerability/wordpress-gutenberg-blocks-unlimited-blocks-for-gutenberg-plugin-1-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Gutenberg Blocks", "source": "cna", "vendor": "ThemeHunk"}, "product": "gutenberg_blocks", "vendor": "themehunk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:24:31.103849+00:00", "value": {"mitigation_remediation": ["Update the Gutenberg Blocks plugin to a version newer than 1.2.8; if an update is not immediately available, disable or delete the plugin to eliminate the attack surface.", "Exercise caution when visiting unfamiliar URLs on sites that use this plugin, and ensure site administrators scrutinize URLs accessed by users to detect potential malicious injections.", "Verify that all other components of the WordPress installation are current, as unpatched versions may provide additional vectors for XSS or related attacks."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects the ThemeHunk Gutenberg Blocks\"Unlimited Blocks For Gutenberg\" plugin on WordPress installations with version 1.2.8 or earlier. Sites using this plugin, regardless of other WordPress components, are vulnerable until the plugin is upgraded beyond the stated limit.", "description_and_impact": "This vulnerability is an improper neutralization of input during web page generation that permits malicious scripts to be reflected in browser responses. An attacker can craft a URL or input containing JavaScript code that is executed in the victim\u2019s browser when the page is loaded, potentially enabling credential theft, session hijacking, or defacement. The weakness corresponds to CWE\u201179 and can compromise the confidentiality and integrity of the affected site.", "risk_and_exploitability": "The EPSS score is below 1%, indicating a low probability of widespread exploitation, and the vulnerability has not been listed in the CISA KEV catalog. However, the attack vector is likely remote via a crafted URL or form input, requiring the victim to visit a malicious link. The CVSS score of 7.1 indicates a moderate severity. Until patched, the vulnerability remains actively exploitable by opportunistic actors."}}}}, "created": "2026-03-20T08:57:05.760889+00:00", "updated": "2026-04-28T17:30:10.621959+00:00", "vendors": ["themehunk", "themehunk$PRODUCT$gutenberg_blocks", "wordpress", "wordpress$PRODUCT$wordpress"]}