Cross-site Scripting Vulnerability in Gutenberg Plugin by WordPress
CVE-2025-64354

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Gutenberg
Vendor: CVE Published:; 31 October 2025

What is CVE-2025-64354?

A stored Cross-site Scripting (XSS) vulnerability exists in the Gutenberg Plugin by WordPress, affecting versions up to 21.8.2. This vulnerability allows attackers to inject malicious scripts into web pages, which can be executed when users interact with the affected pages. Successful exploitation could lead to unauthorized actions on behalf of the victim or exposure of sensitive user data. Administrators and website owners are strongly advised to update to the latest version of the plugin to mitigate this risk.

Affected Version(s)

Gutenberg <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/gute...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2025
Vulnerability Reserved
Oct 31, 2025

Credit

Peter Thaleikis | Patchstack Bug Bounty Program

JSON