CVE-2025-23874: 
WordPress vulnerability analysis and mitigation

The Block Collection for You - WP Block Pack WordPress plugin version 1.1.6 and earlier contains a Reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-23874. The vulnerability was discovered by researcher SOPROBRO and publicly disclosed on January 16, 2025. This security issue affects unauthenticated users and has been assigned a CVSS score of 6.1, indicating a medium severity level (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation, allowing for Reflected Cross-Site Scripting attacks. The issue received a CVSS v3.1 base score of 6.1 (Medium), indicating significant but not critical severity. The vulnerability requires no authentication to exploit, making it particularly concerning for website security (Wordfence).

A successful exploitation of this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the affected website. These injected scripts would then be executed when visitors access the compromised site, potentially leading to various forms of client-side attacks (Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement the virtual patch or consider temporarily disabling the plugin until an official security update becomes available (Patchstack).