CVE-2024-13803: 
WordPress vulnerability analysis and mitigation

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-13803) affecting all versions up to and including 5.2.3. The vulnerability was discovered and reported by Wordfence on February 26, 2025 (NVD CVE).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'data-marker' parameter. The issue has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (Wordfence Intel).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to data theft, session hijacking, or other malicious actions (NVD CVE).

A fix has been implemented in the WordPress plugin repository as evidenced by the changeset (WordPress Changeset). Users are advised to update their Essential Blocks plugin to a version newer than 5.2.3 to mitigate this vulnerability.