CVE-2025-2303: 
WordPress vulnerability analysis and mitigation

The Block Logic – Full Gutenberg Block Display Control plugin for WordPress contains a Remote Code Execution vulnerability (CVE-2025-2303) affecting all versions up to and including 1.0.8. The vulnerability was discovered and disclosed on March 21, 2025, and received a CVSS v3.1 base score of 8.8 (HIGH). This security issue affects WordPress installations using the vulnerable plugin versions (NVD).

The vulnerability exists in the blocklogiccheck_logic function where unsafe evaluation of user-controlled input occurs. The issue is specifically located at line 127 of block-logic.php, where the eval() function is used to execute user-provided input without proper sanitization. The vulnerability has been assigned CWE-94 (Improper Control of Generation of Code), and its CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity (NVD, WordPress Plugin).

The vulnerability allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server. This could lead to complete system compromise, allowing attackers to gain unauthorized access to sensitive data, modify website content, or use the server for malicious purposes (NVD).

Website administrators running the Block Logic plugin should immediately update to a version newer than 1.0.8 if available, or remove the plugin if no patch is available. Additionally, reviewing and limiting user access levels can help reduce the risk of exploitation (NVD).