cleantalk
Vulnerabilities and Security Researches

Ghost Kit – Page Builder Blocks & Extensions, CVE-2025-9992

CVE, Research URL

CVE-2025-9992

Home page URL

Security reports for Ghost Kit – Page Builder Blocks & Extensions

Application

Ghost Kit – Page Builder Blocks & Extensions

Published on
Sep 18, 2025
Research Description
The Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.4.4.
Status
vulnerable
Previous vulnerability researches
Team – WordPress Team Members Showcase Plugin (CVE-2025-57975) , Apr 23, 2026
Team – WordPress Team Members Showcase Plugin (CVE-2026-25026) , Mar 30, 2026
Team – WordPress Team Members Showcase Plugin (CVE-2026-32396) , Mar 30, 2026
Team – WordPress Team Members Showcase Plugin (CVE-2024-9236) , May 19, 2025
Team – WordPress Team Members Showcase Plugin (CVE-2025-14124) , Jan 09, 2026
New vulnerability
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder (CVE-2025-9260) , Apr 23, 2026
Text Snippets (CVE-2026-5748) , Apr 23, 2026
Bread & Butter: real lead capture, gated content & newsletter opt-ins (CVE-2026-4279) , Apr 23, 2026
WP News and Scrolling Widgets (CVE-2026-6443) , Apr 23, 2026
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin (CVE-2025-7813) , Apr 23, 2026