Stored Cross-Site Scripting Vulnerability in Progress Bar Blocks for Gutenberg
CVE-2025-12880

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Progress Bar Blocks For Gutenberg
Vendor: CVE Published:; 11 November 2025

What is CVE-2025-12880?

The Progress Bar Blocks for Gutenberg plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping during SVG file uploads. This vulnerability allows authenticated attackers with Author-level access or higher to execute arbitrary web scripts on user pages accessed via these SVG files, presenting a significant risk for site security.

Affected Version(s)

Progress Bar Blocks for Gutenberg * <= 1.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/progressmatify-blocks/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 11, 2025
Vulnerability Reserved
Nov 7, 2025

Credit

Peerapat Samatathanyakorn

JSON