CVE-2025-4420

Description

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerWidth’ parameter in all versions up to, and including, 1.3.1 due to a missing capability check on the vayu_blocks_option_panel_callback() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PUBLISHED Reserved 2025-05-08 | Published 2025-06-03 | Updated 2026-04-08 | Assigner Wordfence

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Timeline

Credits

Cheng Liu finder

References

www.wordfence.com/...-4508-4fb5-941d-3f1a52528e2b?source=cve

plugins.trac.wordpress.org/...blocks/trunk/inc/admin-api.php

wordpress.org/plugins/vayu-blocks/

plugins.trac.wordpress.org/changeset/3303594/

cve.org (CVE-2025-4420)

nvd.nist.gov (CVE-2025-4420)

Download JSON