CVE-2025-1703: 
WordPress vulnerability analysis and mitigation

The Ultimate Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'content' parameter in versions up to and including 3.2.7. This vulnerability was discovered and disclosed on March 26, 2025. The issue affects the plugin's content handling functionality and allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's content handling mechanism. The issue specifically affects the content parameter processing, allowing authenticated users to inject arbitrary web scripts that execute when other users access the affected pages. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD CVE, Wordfence Intel).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts that execute in users' browsers when they access the affected pages. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' sessions (NVD CVE).

The vulnerability has been patched in version 3.2.8 of the Ultimate Blocks plugin. Users are strongly advised to update to this version or later to protect against this security issue. The update includes improvements to input sanitization and output escaping mechanisms (WordPress Plugin).