cleantalk
Vulnerabilities and Security Researches

Ultimate Blocks – WordPress Blocks Plugin, CVE-2025-2918

CVE, Research URL

CVE-2025-2918

Home page URL

Security reports for Ultimate Blocks – WordPress Blocks Plugin

Application

Ultimate Blocks – WordPress Blocks Plugin

Published on
Jun 10, 2025
Research Description
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 3.3.4.
Status
vulnerable
Previous vulnerability researches
Spiffy Calendar (CVE-2024-38692) , Jul 13, 2024
Spiffy Calendar (CVE-2017-9420) , Jun 07, 2024
Spiffy Calendar (CVE-2022-29434) , Jun 07, 2024
Spiffy Calendar (CVE-2022-46859) , Jun 07, 2024
Spiffy Calendar (CVE-2023-49745) , Jun 07, 2024
New vulnerability
Woocoommerce Wishlist for Website Designers (High customization, fast setup,Free Elementor Wishlist, most features) (CVE-2025-47487) , Jun 15, 2025
WP Featured Content Slider (CVE-2025-30634) , Jun 15, 2025
WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) (CVE-2025-49285) , Jun 15, 2025
All Currencies for WooCommerce (CVE-2025-30950) , Jun 15, 2025
Advanced Sermons (CVE-2025-49863) , Jun 15, 2025