CVE-2025-5678: 
WordPress vulnerability analysis and mitigation

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'redirectURL' parameter in versions up to and including 3.5.10. This vulnerability was discovered and reported by Wordfence, with the initial disclosure made on July 8, 2025 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's code. This security flaw allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST and 6.4 (Medium) by Wordfence (NVD).

When successfully exploited, this vulnerability allows attackers to inject malicious scripts that execute in users' browsers when they visit affected pages. This could lead to various attacks including session hijacking, credential theft, or malicious redirects. The attack requires an authenticated user with at least Contributor-level privileges (NVD).

Website administrators running affected versions of the Gutenberg Blocks with AI by Kadence WP plugin should upgrade to version 3.5.11 or later, which contains patches for this vulnerability. Until the update can be applied, administrators should consider restricting Contributor access and monitoring for suspicious activity (NVD).