CVE-2025-9075

Name of the Vulnerable Software and Affected Versions ZoloBlocks plugin for WordPress versions prior to 2.3.10

Description The software is susceptible to Stored Cross-Site Scripting (XSS) through multiple Gutenberg blocks. This is a result of inadequate input sanitization and output escaping of user-provided attributes within several block components, including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. An authenticated attacker with contributor-level access or higher can inject malicious web scripts into pages. These scripts will execute when a user accesses the compromised page.

Recommendations Update the ZoloBlocks plugin to a version later than 2.3.10.