Stored Cross-Site Scripting in Vayu Blocks Plugin for WordPress
CVE-2025-4420
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 3 June 2025
What is CVE-2025-4420?
The Vayu Blocks plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability through the 'containerWidth' parameter. This flaw arises from inadequate capability checks within the vayu_blocks_option_panel_callback() function, combined with insufficient input sanitization and output escaping mechanisms. As a result, authenticated users with Subscriber-level access or higher may exploit this vulnerability to insert malicious script into pages, potentially executing harmful code whenever a user visits the compromised page.
Affected Version(s)
Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce * <= 1.3.1