CVE-2025-3414: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the Structured Content WordPress plugin versions below 1.7.0. The vulnerability was assigned CVE-2025-3414 and was publicly disclosed on July 24, 2025. The vulnerability affects users with contributor role and above who can create or edit posts using the Structured Content plugin (WPScan).

The vulnerability exists because the plugin does not properly validate and escape some of its block options before outputting them back in a page/post where the block is embedded. Specifically, the vulnerability is triggered through the FAQ block's Additional CSS class(es) form field. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) (WPScan).

Successful exploitation of this vulnerability could allow authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. This could potentially lead to the execution of arbitrary JavaScript code in visitors' browsers when they view the affected pages (WPScan).

The vulnerability has been fixed in version 1.7.0 of the Structured Content plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).