CVE-2025-13697 in BlockArt Blocks Plugin
Summary
by MITRE • 12/02/2025
The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘timestamp’ attribute in all versions up to, and including, 2.2.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/02/2025
The vulnerability identified as CVE-2025-13697 affects the BlockArt Blocks WordPress plugin, which serves as a comprehensive page builder solution incorporating Gutenberg blocks and template libraries. This plugin provides users with extensive customization capabilities for creating web pages through a visual interface, making it a popular choice among WordPress site administrators. The affected version range includes all releases up to and including 2.2.13, representing a significant portion of the plugin's user base and exposing numerous websites to potential security risks.
The core technical flaw resides in the insufficient sanitization and escaping of the 'timestamp' attribute within the plugin's code implementation. This vulnerability classifies under CWE-79 as a stored cross-site scripting vulnerability, where malicious scripts can be permanently stored on the server and executed whenever affected pages are accessed. The weakness specifically occurs during the processing of user input through the timestamp parameter, which fails to properly validate or escape special characters that could be interpreted as executable code by web browsers. Attackers exploiting this vulnerability can inject malicious JavaScript code through the timestamp attribute, which then gets stored in the plugin's database and executes in the context of any user who views the affected pages.
The operational impact of this vulnerability is particularly concerning given that it requires only Contributor-level access or higher to exploit, which represents a relatively low privilege threshold within WordPress's permission hierarchy. This access level typically allows users to create and edit their own posts and pages, making the attack vector accessible to a wide range of malicious actors including disgruntled employees, compromised user accounts, or attackers who have gained access to low-privilege accounts. Once successfully exploited, the stored XSS vulnerability enables attackers to execute arbitrary scripts in the browsers of unsuspecting users, potentially leading to session hijacking, credential theft, defacement of content, or redirection to malicious websites. The persistent nature of stored XSS means that the malicious code remains active until manually removed from the database, allowing for extended periods of exploitation.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the sanitization issues in the timestamp attribute processing. Organizations should also implement additional security measures including input validation at multiple layers, output escaping for all user-provided data, and regular security audits of plugin installations. The principle of least privilege should be enforced by limiting user permissions to the minimum necessary for their role, reducing the potential impact of compromised accounts. Security monitoring should include regular checks for unauthorized modifications to content and database entries, particularly around timestamp-related fields. From an ATT&CK perspective, this vulnerability aligns with techniques such as T1566.001 (Phishing: Spearphishing Attachment) and T1059.001 (Command and Scripting Interpreter: Visual Basic), as it enables attackers to establish persistent access through malicious script injection. The vulnerability also demonstrates the importance of proper input validation and output escaping as fundamental security controls, reinforcing the need for comprehensive security testing during plugin development and regular security assessments of third-party WordPress components.