CVE-2025-4420: 
WordPress vulnerability analysis and mitigation

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin is affected by a Stored Cross-Site Scripting vulnerability (CVE-2025-4420) discovered in version 1.3.1 and earlier. The vulnerability was disclosed on June 3, 2025, and affects the 'containerWidth' parameter due to insufficient input sanitization and missing capability checks (NVD CVE).

The vulnerability stems from a missing capability check in the vayublocksoptionpanelcallback() function combined with insufficient input sanitization and output escaping of the 'containerWidth' parameter. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD CVE).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising the security of site visitors (NVD CVE).

The vulnerability has been patched in version 1.3.2 of the Vayu Blocks plugin. Users are advised to update to this latest version which includes security fixes and improvements (WordPress Plugin).