CVE-2025-12880: 
WordPress vulnerability analysis and mitigation

The Progress Bar Blocks for Gutenberg plugin for WordPress (version 1.0.0 and earlier) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2025-12880. The vulnerability was discovered and disclosed on November 10, 2025. The plugin has been temporarily closed since November 7, 2025, pending a full security review (NVD, WordPress Plugin).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's handling of SVG file uploads. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected SVG file, potentially compromising the security of site visitors (NVD).

The plugin has been temporarily closed and is not available for download pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).