Plateforme
wordpress
Composant
unlimited-blocks
Corrigé dans
1.2.9
CVE-2026-25438 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in the Unlimited Blocks for Gutenberg plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability affects versions from 0.0 up to and including 1.2.8 of the plugin, and a patch is expected to be released by the vendor.
The primary impact of this vulnerability is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be achieved by crafting a malicious URL containing the XSS payload and tricking a user into clicking it. Successful exploitation could allow an attacker to steal session cookies, redirect users to phishing sites, or modify the content of the page. Given the plugin's functionality (adding blocks to Gutenberg), an attacker could potentially inject scripts that alter the appearance or behavior of the WordPress editor, further compromising the user's experience and potentially gaining access to sensitive data. The scope of impact is limited to users who interact with the vulnerable plugin and are tricked into visiting a malicious link.
CVE-2026-25438 was publicly disclosed on 2026-03-19. As of this date, there are no known public proof-of-concept exploits available. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of Reflected XSS vulnerabilities, it is likely that proof-of-concept exploits will emerge relatively quickly, making prompt patching critical.
Websites using the Unlimited Blocks for Gutenberg plugin, particularly those with user-generated content or where users are likely to click on links from untrusted sources, are at risk. Shared hosting environments where multiple websites share the same server infrastructure could also be affected if one site is compromised and used to distribute malicious links.
• wordpress / composer / npm:
grep -r 'Unlimited Blocks for Gutenberg' /var/www/html/wp-content/plugins/
wp plugin list | grep 'Unlimited Blocks for Gutenberg'• generic web:
curl -I 'https://example.com/?param=<script>alert(1)</script>' | grep 'Content-Security-Policy'disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-25438 is to upgrade to a patched version of the Unlimited Blocks for Gutenberg plugin as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin if it is not essential. As a short-term workaround, implement strict input validation and output encoding on any user-supplied data that is displayed on the page. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide some protection, although they are not a substitute for patching the vulnerability. Monitor web server access logs for suspicious URL patterns containing JavaScript code.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25438 is a Reflected XSS vulnerability affecting the Unlimited Blocks for Gutenberg plugin, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using Unlimited Blocks for Gutenberg versions 0.0 through 1.2.8. Check your plugin version and upgrade as soon as a patch is available.
Upgrade to the latest version of Unlimited Blocks for Gutenberg as soon as a patch is released by the vendor. Temporarily disable the plugin as a workaround.
As of 2026-03-19, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and exploits may emerge.
Refer to the official ThemeHunk website and WordPress plugin repository for updates and security advisories related to CVE-2026-25438.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.